As more and more third-party content is introduced to public websites, the risks involved are growing and need to be carefully managed.
While the inclusion of a YouTube video (for instance) may seem very straight forward, there are specific security risks with such a data feed that need to be carefully considered and, where appropriate, managed using specialised systems and tools.
In fact, two recent cases involving security breaches at major third-party content providers highlight these risks.
Backgound
More and more websites are linking to third-party data feeds. Examples, to name a few, include:
- video linkages from third-party sources such as YouTube;
- image serving from external data sources;
- integrating third-party functionality into a website; and
- automatic news feeds from third-party content providers.
Risks
While embedding video from a third-party content source many seem very straight forward, there are specific security risks with third-party data feeds that need to be assessed. For instance, while the video linkage may seem benign it is possible for a video file to be compromised and malicious code appended to it.
In this scenario, the malicious code could run in the user’s browser whenever the video is played, potentially undetected to both the user and the website administrator. Were this to occur, it is possible that the undetected malicious code could, for example, introduce a click-jacking link overlay over a legitamet button or link. If the user then clicks on the button, their session could be redirected or they could unknowingly initiate a malware download.
Examples
Two recent cases highlight the risk involved.
1. Eyewonder
On 3 July it was reported that some ads provided through EyeWonder (an online ad server) appeared to have been compromised. EyeWonder is a major online advertising cross-platform deployment provider serving digital advertising campaigns on behalf of agencies and corporates across public websites. These include many high-traffic sites such CNN, BBC, Washington Post and even the online game WorldOfWarcraft.
The reports indicated that users were reporting that ads served through the EyeWonder network were being flagged in browsers as carrying malware warnings.
Effectively, malicious content was apparently being pushed out through legitimate sites through the EyeWonder ad network. EyeWonder subsequently issued a statement saying that it ‘…appears the EW.com domain was potentially maliciously “hacked” causing these … alerts to appear’.
Subsequent investigations indicated that the EyeWonder domain exploit may have been linked to ColdFusion injection attacks that were reportedly occuring at the time.
2. Imageshack
On 11 July, the servers of Imageshack, one of the most successful image/media hosting companies on the web, were hacked.
Imageshack customers host their media files on these servers and then link to them from their external websites, blogs, etc. Essentially, customers are ‘feeding’ media content to their websites from Imageshack in the same way as we do with third-party data/content feeds to credit union websites.
The 11 July breach was undertaken by a hacking group called the Anti-Sec Movement. As a result of the penetration, Imageshack customers suddenly found the image at right replacing many of the images that would normally be found on their websites/blogs.
While in this case the image was relatively benign, this need not have been the case.
Four ways to manage the risks
What does all this tell us? It tells us that while linking data feeds from third party suppliers is possible, we should to be careful.
Even major, reputable organisations such as EyeWonder and Imageshack are subject to potential penetration; and if we rely on their security systems alone we may open ourselves to potential exploit.
Therefore, in delivering third-party content to websites with strong security profiles, good practice should include some, or all of the following:
- prohibit the direct serving of third-party data onto highly-sensitive applications or website pages;
- where practical, sanitise the data feed before it is served;
- if possible, host the data source yourself; and
- monitor the data feed for any changes to third-party file format and malicious code. This may require the use of specialised, dedicated systems/tools.
Conclusion
Including third-party data feeds on a website can be great; but we all should be very careful about how we do it.