Infected sites could have been turned into botnets to launch DDoS attacks and spread malware
A flaw in the cloud-based Wix.com website hosting service could have potentially exposed millions of DIY sites into being taken over by hackers and turned into botnets.
By exploiting an unpatched DOM (document object model) XXS vulnerability in the Wix platform, Contrast Security senior researcher Matt Austin found that hackers could have created a Wix demo template with the vulnerability by hiding the DOM XSS in an <iframe> and uploaded it onto the main Wix hosting site.
Any Wix users who clicked on the template would have effectively got infected by the XXS injection which could then spread to others who visited the newly infected site.
Wix website woes
“With the XSS on wix.com the attacker can do anything as the current user. This includes turning the attack into a worm,” said Austin.
And were such a flaw to be exploited at scale, the websites could be turned into a botnet that has the potential to launch server crippling DDoS attacks and propagate other malicious code.
“Administrator control of a wix.com site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it” added Austin.
The security researcher noted he has informed Wix of the XSS flaw, though he publicly disclosed it at the same time.
Wix told TechWekeEurope that is has now patched the flaw: “We take the security of our customers very seriously. After thorough examination we can state that the issue has been addressed. We do operate a formal bug bounty program and are taking steps to widen the community.”
Given how botnets such as Mirai can be used to wreak havoc on major Internet services through acting as a platform for DDoS attacks, businesses should be aware of need for contingency plans to mitigate such zero-day flaws while they wait for software and service providers to release an official patch.
Are you a security pro? Try our quiz!