Zero-Day Security Hole In Wix Hosting Service Exposed Millions Of Websites

Roland Moore-Colyer,

Infected sites could have been turned into botnets to launch DDoS attacks and spread malware

A flaw in the cloud-based Wix.com website hosting service could have potentially exposed millions of DIY sites into being taken over by hackers and turned into botnets.

By exploiting an unpatched DOM (document object model) XXS vulnerability in the Wix platform, Contrast Security senior researcher Matt Austin found that hackers could have created a Wix demo template with the vulnerability by hiding the DOM XSS in an <iframe> and uploaded it onto the main Wix hosting site.

Any Wix users who clicked on the template would have effectively got infected by the XXS injection which could then spread to others who visited the newly infected site.

“Wix.com has a severe DOM XSS vulnerability that allows an attacker complete control over any website hosted at Wix. Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website,” explained Austin in his advisory.

Wix website woes

hacking teamGiven haw Wix claims to have around 87 million registered users and over two million subscriptions, the vulnerability put a huge number of sites at risk.

“With the XSS on wix.com the attacker can do anything as the current user. This includes turning the attack into a worm,” said Austin.

And were such a flaw to be exploited at scale, the websites could be turned into a botnet that has the potential to launch server crippling DDoS attacks and propagate other malicious code.

“Administrator control of a wix.com site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it” added Austin.

The security researcher noted he has informed Wix of the XSS flaw, though he publicly disclosed it at the same time. 

Wix told TechWekeEurope that is has now patched the flaw: “We take the security of our customers very seriously. After thorough examination we can state that the issue has been addressed. We do operate a formal bug bounty program and are taking steps to widen the community.”

Given how botnets such as Mirai can be used to wreak havoc on major Internet services through acting as a platform for DDoS attacks, businesses should be aware of  need for contingency plans to mitigate such zero-day flaws while they wait for software and service providers to release an official patch.

Are you a security pro? Try our quiz!