Widgets or IFrame hacks, how would we know?

A particular aspect in IT security is injecting malware into websites. Often leading to so-called “drive by downloads“. This malware is often inserted due to a browser vulnerability which gets executed by, say, Javascript. The latter is usually “inserted” in a legitimate website using a hidden <IFRAME> tag or similar.

How can this be stopped? Modern websites include, because of widgets, several external Javascripts onto their own sites. When going to the gadget popular website engadget.com, a total of 17 hosts are contacted…

  • engadget.com
  • blogsmithmedia.com
  • o.aolcdn.com
  • platform.twitter.com
  • b.engadget.com
  • o.sa.aol.com
  • h.scorecardresearch.com
  • blogcdn.com
  • platform0.twitter.com
  • urls.api.twitter.com
  • platform.twitter.com
  • aolcdn.com
  • facebook.com
  • engadget2.disqus.com
  • static.ak.fbcdn.net
  • mediacdn.disqus.com
  • disqus.com

Wouldn’t it be easier for an attacker to -perhaps- perform DNS poisoning to take over one of these hostnames, to include javascripts in multiple websites? With the [like] buttons, [retweet] buttons and widgets, one could target many websites all at once.

Stopping this is partially performed by browsers, such as Firefox’s “this site downloads contents from xxxx.com, which contains malicious material”, but that’s only after a website is labelled as malicious. Could there be an answer where websites follow a “trusted list” (where sites register the widgets they use) type of model?

Just wondering on a thursday morning.

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *