Iframe busters lead to XSS on 2% of all websites

It is no secret that ad placements are a revenue stream for online media channels, but something not commonly known is that the ad technology iframe busters used often introduces vulnerabilities. If you are selling or buying advertisement online, this could impact you. We recently found that 2% of the internet is using this technology and thus vulnerable to a common web application vulnerability, cross-site scripting (XSS). This list includes some high-traffic newspaper agencies, trusted tech news publications and popular lifestyle pages.

This article explains how iframe busters can lead to vulnerabilities on your website, and how it can impact the business regardless on type of website.

What iframe and iframe buster are

Iframes are commonly used to embed advertisement. External resources that are loaded in an iframe has certain restrictions in a web browser, meaning it cannot access the rest of the page. This includes access to the cookies, ability to affect the content of the website, and so on. It cannot create a pop-up or extend beyond the ad box borders when hovering over, which are otherwise common applications of advertisements.

To bypass these restrictions, advertisement services provides certain .html-files called iframe busters that should be uploaded to the website that are displaying the advertisements. As those files are uploaded directly to the website, they do not have any of those restrictions external resources normally have. The advertisements are then able to talk directly to the iframe busters, that in turn makes the changes on the website.

Vulnerabilities in iframe busters

In theory this could be done safely. However, in practice iframe busters often lack verification of what external page that tries to talk to it meaning any page can pretend to be an ad and thereby access content of the website.

It is also very common for iframe busters to have XSS vulnerabilities not related to this kind of check. It is clear that many of those files were not developed with security in focus.

This has been discussed before, but not received enough publicity for anything to really happen. Back then Google stopped providing some of the vulnerable files as part of their Ad Manager, but everyone that had already downloaded the files continued to be affected.

Late September this year Randy Westergren wrote a new piece on the subject, called XSS Vulnerabilities in Multiple iFrame Busters Affecting Top Tier Sites, where he highlights those issues and includes a few examples on new vulnerable iframe busters. This time Google removed some more files, but there are more providers and most websites have already downloaded the discontinued files. This is not a problem that we expect to go away anytime soon.

2% of all websites affected, and much more in the media sector

Westergren’s report caught the attention of our security research team including co-founder Fredrik N. Almroth. After digging deeper into the issues he concluded that 2% of all websites out there contain these issues.

As this affects websites that are displaying advertisements online, there is an overwhelming majority of newspapers and media companies among the affected group. Even websites that normally put security in focus are impacted as those iframe buster files are not developed in-house.

How the research was conducted

We looked into and collected the most common iframe busters. We then took ten of thousands of the most popular websites (based on Alexa ranking) and checked for those files. Any website hosting one of the iframe busters with those issues are considered vulnerable.

Based on this research, 2% of the checked websites were concluded to be vulnerable. This data could be extrapolated to more websites, meaning it is plausible to say around 2% of the web is vulnerable against XSS due to these issues.

What this means

XSS gives an attacker the ability to execute JavaScript under the vulnerable target’s domain. It gives an attacker the ability to see everything that the user sees, steal session cookies, and modify the content of the page. 

It should be noted that XSS is a client-side vulnerability. More or less, the user needs to click on a crafted link by the attacker to be affected. It is not possible to hack the website and change the content for everyone through an XSS.

However, this crafted link can be a mass send-out, or even put as an ad on another popular website (oh the irony). Sometimes one user is enough and by targeting an administrator it might be possible to take over their account on the website and thereafter target everyone.

Impact regardless of if you handle sensitive data

Many media websites actually contain user data and in ways we may not realize at first. More and more media companies have paywalls which usually requires both a login and credit card data. Other reasons to store such data include management of subscriptions and supporting user comments.

Even if you do not store user data this is not a problem to ignore. This is a still a concern because this could impact the user experience and ultimately the trustworthiness of your site. Someone being able to change the content of your website without your knowledge could dampen your reputation and reduce reader traffic.

Remediation steps

You do not have to stop selling or buying advertising to achieve security. Here are some recommended steps:

• Make sure you are not hosting legacy iframe busters. Delete those that are not needed.
• If possible, have someone audit the external .html-files for common security issues.
• Tests for iframe busters have been built-in to Detectify, which means you can now check your web applications to see if you are vulnerable to iframe busters DOM XSS or not.

Optimally, we suggest doing all three.

Future research areas

There might be more of those advertisement files that our team has missed. There could also be areas outside of advertising that using these kind of files and they may be vulnerable. We are continually collecting feedback from our customers for additional research as well as bug submissions through our Detectify Crowdsource ethical hackers network.

Closing comments

Many people already find ads annoying, and this does no favors. Ad money is a huge revenue stream for websites which means having this secure is essential for keeping readers on the page, and keep companies bidding for ad space. To keep this a safe and sustainable option for all users, it is important to check the integrity of the iframe busters files used, and this is something we can now help with.

Would you like to check your website for iframe buster vulnerabilities? If you are not using Detectify yet, you can give it a try by signing up for our free trial that gives you access to all Detectify security tests, including the newly added iframe buster DOM XSS tests.