Zero-Day Security Hole In Wix Hosting Service Exposed Millions Of Websites

A flaw in the cloud-based Wix.com website hosting service could have potentially exposed millions of DIY sites into being taken over by hackers and turned into botnets.

By exploiting an unpatched DOM (document object model) XXS vulnerability in the Wix platform, Contrast Security senior researcher Matt Austin found that hackers could have created a Wix demo template with the vulnerability by hiding the DOM XSS in an <iframe> and uploaded it onto the main Wix hosting site.

Any Wix users who clicked on the template would have effectively got infected by the XXS injection which could then spread to others who visited the newly infected site.

“Wix.com has a severe DOM XSS vulnerability that allows an attacker complete control over any website hosted at Wix. Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website,” explained Austin in his advisory.

Wix website woes

Given haw Wix claims to have around 87 million registered users and over two million subscriptions, the vulnerability put a huge number of sites at risk.

“With the XSS on wix.com the attacker can do anything as the current user. This includes turning the attack into a worm,” said Austin.

And were such a flaw to be exploited at scale, the websites could be turned into a botnet that has the potential to launch server crippling DDoS attacks and propagate other malicious code.

“Administrator control of a wix.com site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it” added Austin.

The security researcher noted he has informed Wix of the XSS flaw, though he publicly disclosed it at the same time.

Wix told TechWekeEurope that is has now patched the flaw: “We take the security of our customers very seriously. After thorough examination we can state that the issue has been addressed. We do operate a formal bug bounty program and are taking steps to widen the community.”

Given how botnets such as Mirai can be used to wreak havoc on major Internet services through acting as a platform for DDoS attacks, businesses should be aware of  need for contingency plans to mitigate such zero-day flaws while they wait for software and service providers to release an official patch.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

BNP Paribas Joins JP Morgan Blockchain Trading Network

French bank BNP Paribas becomes first European bank to join JP Morgan's blockchain-based Onyx Digital…

14 hours ago

SEC Held Off Elon Musk Enforcement ‘Due To Court Fears’

US securities regulators may have refrained from enforcement actions against Elon Musk due to discouraging…

15 hours ago

Snap Earnings Warning Triggers Tech Sell-Off

Investors spooked after Snap warns of deteriorating economic conditions, says earnings now 'below the low…

16 hours ago

Russian Operator Discounts Smartphones As Sanctions Bite

Biggest Russian mobile operator MTS begins selling discounted and second-hand smartphones as Russians hit by…

17 hours ago

Clearview AI Fined £7.5m Over Facial Recognition Data

UK Information Commissioner's Office orders controversial facial recognition firm Clearview AI to delete data it…

18 hours ago

Airbnb To Pull Out Of China Amidst ‘Pandemic Challenges’

Airbnb to pull out of China as ongoing zero-Covid policy places severe restrictions on domestic…

19 hours ago