A popular ad serving and management platform, Orbit Open Ad Server, was impacted by a SQL injection vulnerability, which left website visitors' vulnerable to data theft.
Swiss penetration testing firm High-Tech Bridge notified OrbitScripts, the vendor for the ad platform, last month, and the issue was quickly addressed on March 21, High-Tech Bridge revealed in a security advisory. But, the security concern served as a cautionary tale of how attackers can cleverly use malvertising to go after large numbers of online users.
On Wednesday, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazine.com that, despite companies taking all the right steps to secure their websites, malvertising – which targets site visitors via poisoned third-party ads – can best enterprises.
SQL injection attacks could allow a saboteur to inject malicious code into applications, such as databases or other data entry fields, to leave financial or other sensitive information inputted on websites subject to theft.
In the case of Orbit Open Ad Server, the “damage could be really huge,” Kolochenko explained, as the SQL injection flaw could be leveraged to bypass platform users themselves, and go after the bigger bounty – online visitors of thousands of websites utilizing the open source ad server.
The software can be used to manage ads placed on various websites, including those operated via popular blogging platforms, like WordPress, Drupal and Joomla.
“You can make sure that the site is up-to-date, but as soon as you start hosting ads and put their content online, you cannot really control what they serve,” Kolochenko said. “Hackers can easily host spyware or malware, instead of legitimate [advertising] content, on your site.”
On Wednesday, a representative for OrbitScripts confirmed with SCMagazine.com via email that the SQL injection issue had been patched as of March 21.
Last fall, High-Tech Bridge also uncovered serious, but common, website vulnerabilities (XSS flaws) that impacted the security of Yahoo domains and NASDAQ's website.