A flaw in the cloud-based Wix.com website hosting service could have potentially exposed millions of DIY sites into being taken over by hackers and turned into botnets.
By exploiting an unpatched DOM (document object model) XXS vulnerability in the Wix platform, Contrast Security senior researcher Matt Austin found that hackers could have created a Wix demo template with the vulnerability by hiding the DOM XSS in an <iframe> and uploaded it onto the main Wix hosting site.
Any Wix users who clicked on the template would have effectively got infected by the XXS injection which could then spread to others who visited the newly infected site.
“Wix.com has a severe DOM XSS vulnerability that allows an attacker complete control over any website hosted at Wix. Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website,” explained Austin in his advisory.
“With the XSS on wix.com the attacker can do anything as the current user. This includes turning the attack into a worm,” said Austin.
And were such a flaw to be exploited at scale, the websites could be turned into a botnet that has the potential to launch server crippling DDoS attacks and propagate other malicious code.
“Administrator control of a wix.com site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it” added Austin.
The security researcher noted he has informed Wix of the XSS flaw, though he publicly disclosed it at the same time.
Wix told TechWekeEurope that is has now patched the flaw: “We take the security of our customers very seriously. After thorough examination we can state that the issue has been addressed. We do operate a formal bug bounty program and are taking steps to widen the community.”
Given how botnets such as Mirai can be used to wreak havoc on major Internet services through acting as a platform for DDoS attacks, businesses should be aware of need for contingency plans to mitigate such zero-day flaws while they wait for software and service providers to release an official patch.
Are you a security pro? Try our quiz!
British regulator invites feedback on major partnerships Microsoft and Amazon have struck with smaller AI…
Another 20 staff have been fired by Google over Israel protest and their “completely unacceptable…
Censorship row brewing down under, after the Australian Prime Minister calls Elon Musk an 'arrogant…
Financial regulator asks New York judge to impose $5.3 billion in fines against Terraform Labs…
Lightweight artificial intelligence model launched this week by Microsoft, offering more cost-effective option for Azure…
ByteDance protest falls on deaf ears, as Senate passes TikTok ban or divest bill, with…