A flaw in the cloud-based Wix.com website hosting service could have potentially exposed millions of DIY sites into being taken over by hackers and turned into botnets.
By exploiting an unpatched DOM (document object model) XXS vulnerability in the Wix platform, Contrast Security senior researcher Matt Austin found that hackers could have created a Wix demo template with the vulnerability by hiding the DOM XSS in an <iframe> and uploaded it onto the main Wix hosting site.
Any Wix users who clicked on the template would have effectively got infected by the XXS injection which could then spread to others who visited the newly infected site.
“Wix.com has a severe DOM XSS vulnerability that allows an attacker complete control over any website hosted at Wix. Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website,” explained Austin in his advisory.
“With the XSS on wix.com the attacker can do anything as the current user. This includes turning the attack into a worm,” said Austin.
And were such a flaw to be exploited at scale, the websites could be turned into a botnet that has the potential to launch server crippling DDoS attacks and propagate other malicious code.
“Administrator control of a wix.com site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it” added Austin.
The security researcher noted he has informed Wix of the XSS flaw, though he publicly disclosed it at the same time.
Wix told TechWekeEurope that is has now patched the flaw: “We take the security of our customers very seriously. After thorough examination we can state that the issue has been addressed. We do operate a formal bug bounty program and are taking steps to widen the community.”
Given how botnets such as Mirai can be used to wreak havoc on major Internet services through acting as a platform for DDoS attacks, businesses should be aware of need for contingency plans to mitigate such zero-day flaws while they wait for software and service providers to release an official patch.
Are you a security pro? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…