Disposable mail security updates for 4 October – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

 

Iframe busters used by several advertisements network were found vulnerable to XSS. That means that all the websites hosting selected iframe busters are vulnerable to XSS. In a recent query on the most popular websites, we found that 2% of websites were vulnerable.

More details about that can be found here.

There is a CSRF-vulnerability in older versions of phpMyAdmin, giving an attacker the ability to send a crafted link to someone being logged in to phpMyAdmin and by doing so force the one being logged in to execute SQL commands. This can in turn be used to upload files and thereby take over the server.

Caucho Resin admin interface has a page with a few reflected XSS vulnerabilities. Those are exploitable without logging in.

This is a few years old, but as the researcher discovered several websites still vulnerable against this which is why we decided to implement it.

The plugin logs a lot of information in a publicly available log file. This information includes error messages, path disclosure and depending on circumstances could contain other sensitive information as well.

This is not a vulnerability per se, but rather a backdoor left from another hacker attack. This backdoor seems to be commonly used in recent attacks.

The backdoor has no authorization at all, meaning anyone can use it to execute code on the server. This itself is a problem, but it is also proof of an existing hacker attack.

Nagiso is a network monitoring tool used by many large organizations. This is intended for internal use, but it happens that developers expose it to the internet. As there is no authorization required, anyone could access it and thereby get information just intended for internal use.

Umbraco creates a few folders, that according to their documentation, should be locked down. However, security through documentation do not always work when not everyone reads everything, meaning there are vulnerable instances out there.

 

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Iframe busters lead to XSS on 2% of all websites – 10 minute mail

It is no secret that ad placements are a revenue stream for online media channels, but something not commonly known is that the ad technology iframe busters used often introduces vulnerabilities. If you are selling or buying advertisement online, this could impact you. We recently found that 2% of the internet is using this technology and thus vulnerable to a common web application vulnerability, cross-site scripting (XSS). This list includes some high-traffic newspaper agencies, trusted tech news publications and popular lifestyle pages.

This article explains how iframe busters can lead to vulnerabilities on your website, and how it can impact the business regardless on type of website.

What iframe and iframe buster are

Iframes are commonly used to embed advertisement. External resources that are loaded in an iframe has certain restrictions in a web browser, meaning it cannot access the rest of the page. This includes access to the cookies, ability to affect the content of the website, and so on. It cannot create a pop-up or extend beyond the ad box borders when hovering over, which are otherwise common applications of advertisements.

To bypass these restrictions, advertisement services provides certain .html-files called iframe busters that should be uploaded to the website that are displaying the advertisements. As those files are uploaded directly to the website, they do not have any of those restrictions external resources normally have. The advertisements are then able to talk directly to the iframe busters, that in turn makes the changes on the website.

iframe buster image on a website

Image: Example of how iframe buster technology works

Vulnerabilities in iframe busters

In theory this could be done safely. However, in practice iframe busters often lack verification of what external page that tries to talk to it meaning any page can pretend to be an ad and thereby access content of the website.

It is also very common for iframe busters to have XSS vulnerabilities not related to this kind of check. It is clear that many of those files were not developed with security in focus.

This has been discussed before, but not received enough publicity for anything to really happen. Back then Google stopped providing some of the vulnerable files as part of their Ad Manager, but everyone that had already downloaded the files continued to be affected.

Late September this year Randy Westergren wrote a new piece on the subject, called XSS Vulnerabilities in Multiple iFrame Busters Affecting Top Tier Sites, where he highlights those issues and includes a few examples on new vulnerable iframe busters. This time Google removed some more files, but there are more providers and most websites have already downloaded the discontinued files. This is not a problem that we expect to go away anytime soon.

2% of all websites affected, and much more in the media sector

Westergren’s report caught the attention of our security research team including co-founder Fredrik N. Almroth. After digging deeper into the issues he concluded that 2% of all websites out there contain these issues.

As this affects websites that are displaying advertisements online, there is an overwhelming majority of newspapers and media companies among the affected group. Even websites that normally put security in focus are impacted as those iframe buster files are not developed in-house.

How the research was conducted

We looked into and collected the most common iframe busters. We then took ten of thousands of the most popular websites (based on Alexa ranking) and checked for those files. Any website hosting one of the iframe busters with those issues are considered vulnerable.

Based on this research, 2% of the checked websites were concluded to be vulnerable. This data could be extrapolated to more websites, meaning it is plausible to say around 2% of the web is vulnerable against XSS due to these issues.

What this means

XSS gives an attacker the ability to execute JavaScript under the vulnerable target’s domain. It gives an attacker the ability to see everything that the user sees, steal session cookies, and modify the content of the page. 

It should be noted that XSS is a client-side vulnerability. More or less, the user needs to click on a crafted link by the attacker to be affected. It is not possible to hack the website and change the content for everyone through an XSS.

However, this crafted link can be a mass send-out, or even put as an ad on another popular website (oh the irony). Sometimes one user is enough and by targeting an administrator it might be possible to take over their account on the website and thereafter target everyone.

Impact regardless of if you handle sensitive data

Many media websites actually contain user data and in ways we may not realize at first. More and more media companies have paywalls which usually requires both a login and credit card data. Other reasons to store such data include management of subscriptions and supporting user comments.

Even if you do not store user data this is not a problem to ignore. This is a still a concern because this could impact the user experience and ultimately the trustworthiness of your site. Someone being able to change the content of your website without your knowledge could dampen your reputation and reduce reader traffic.

Remediation steps

You do not have to stop selling or buying advertising to achieve security. Here are some recommended steps:

  • Make sure you are not hosting legacy iframe busters. Delete those that are not needed.
  • If possible, have someone audit the external .html-files for common security issues.
  • Tests for iframe busters have been built-in to Disposable mail, which means you can now check your web applications to see if you are vulnerable to iframe busters DOM XSS or not.

Optimally, we suggest doing all three.

Future research areas

There might be more of those advertisement files that our team has missed. There could also be areas outside of advertising that using these kind of files and they may be vulnerable. We are continually collecting feedback from our customers for additional research as well as bug submissions through our Disposable mail Crowdsource ethical hackers network.

Closing comments

Many people already find ads annoying, and this does no favors. Ad money is a huge revenue stream for websites which means having this secure is essential for keeping readers on the page, and keep companies bidding for ad space. To keep this a safe and sustainable option for all users, it is important to check the integrity of the iframe busters files used, and this is something we can now help with.

Research by Fredrik N. AlmrothLinus Särud
Technical writing by Linus Särud
Editing by Jocelyn Chan

Would you like to check your website for iframe buster vulnerabilities? If you are not using Disposable mail yet, you can give it a try by signing up for our free trial that gives you access to all Disposable mail security tests, including the newly added iframe buster DOM XSS tests.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.