California Dreams

Since I started experimenting with online advertisements myself, I started noticing a worrying trend of practices that are vulnerable to malicious activities. Security holes are of course not limited to online advertising software and services, but the very nature of it makes it potentially more harmful than run-of-the-mill security vulnerabilities.

First issue is of course that there is obviously money involved, which will get the criminal elements involved right away. The potential victims are often individuals hoping for quick and easy extra income using point and click solutions without the know-how to vet the security of the solutions. And at least in the United States, to be able to receive income, individuals will need to give their name, address, phone number, social security number and potentially other tax documentation to the entity through which they get the advertisements to publish on their sites. All that personal information just waiting to be captured and used for identity theft. It is also the user’s expectation that since all this personal data and money is involved, the software and service providers would be especially careful about security, but unfortunately this does not always seem to be the case. The users cannot be expected to be enforcing security either; the dancing pigs problem is well known.

In my experience the smaller and less experienced software and service providers are on the whole more likely to suffer from security vulnerabilities, but the big players are not immune either.

Here are three examples of issues I have noticed:

1. A marketing plugin for WordPress provides two ways to fetch the ad information. The one they recommend uses PHP to fetch PHP code from their host over http and execute it without any checks. If an attacker can inject their own code, the attacker’s code can run with the web server’s permissions, reading login and password information from the WordPress installation at a minimum. Depending on webserver configuration, it might also have access to other areas of the file system. This is especially worrying attack now after Kaminsky’s DNS vulnerability has been disclosed, which makes the code injection easy. The fix for this issue would be to provide PHP code that would only fetch ad parameters that would be validated before being used, and nothing received over the network would ever be executed. The connections could also be protected with SSL, which would be an even better guarantee that no bogus data was returned.
2. A Google AdSense competitor requires their users to login and submit all their personal information over unsecured connection!
3. Many Google AdSense account holders will use the same Google account to login to their Google Analytics pages. (In fact, they will probably use the same account for GMail and every other Google service that requires an account.) However, if you go to https://www.google.com/analytics, you will be redirected to the unsecured login page, giving malicious parties a way to get the users account information and access to victims AdSense information and other services. The workaround is to login through https://www.google.com/analytics/home. This issue has been discovered before by other people and reported to Google.

I have some recommendation for the online publishers to make it safer to operate in the advertisement business:

1. If possible, form a company. Company information is public anyway, so there is not much harm in divulging this to others. This isn’t such an appealing prospect for people starting in the publisher business because of the extra paperwork and in some cases significant amount of money and time that is required to start and run a company.
2. Make sure that you are giving and viewing personal information only through a secure connection. If you can’t see a link to a secure area, try changing http to https and hitting enter. In some cases you will be lucky and get the secure version of the page. If that does not work, email the service provider and ask if they have a secure version. Even if they don’t, this will give them incentive to work on implementing the secure version. You could also use other means of sending your information to the company, like calling or sending a letter by courier for example. But keep in mind that they might add your information on your behalf to the database that serves the data unsecured over the network. There is also quite a bit of competition in the ad space, so look at the competitors as well.
3. When given a choice of ad injection method, as a rule of thumb HTML markup is safer than doing anything on the server side, so opt for the HTML version (this would typically be a Javascript tag). If server side is the only option, you would do well to either check the code yourself or ask someone else to go through the code looking for security vulnerabilities. This is a big topic in itself, and there are several books written on the topic, but one easy thing to check for is the use of “eval” or “exec” which are available in most languages. Any use of such a thing is a warning sign. Basically the code should be checking all the data that it reads over the network as potentially dangerous and do sanity checks on it before using it. A sort of a corollary of this advice is to avoid using pugins to manage ads, but do this by hand by inserting the ad markup in the desired locations. Of course this is not possible if you maintain large sites.

Similar Posts:

• Beware of cPickle