Trusting Others To Host Content In Your Web Apps

One of the things I tend to warn other developers about is the inclusion of third party content into their applications. No, I’m not talking about pulling in serialized data from trusted sources. I’m talking about simply adding “stuff on the site”. This isn’t anything ground breaking. In fact, it’s pretty obvious stuff. The news that Google was identifying The Verge as a malware host is a pretty good and well publicized example of what can go wrong. Keep in mind I’m going based on public information.

If you are unaware of The Verge here is how they define who they are:

The Verge was founded in 2011 in partnership with Vox Media, and covers the intersection of technology, science, art, and culture. Its mission is to offer in-depth reporting and long-form feature stories, breaking news coverage, product information, and community content in a unified and cohesive manner. The site is powered by Vox Media’s Chorus platform, a modern media stack built for web-native news in the 21st century.

(Source)

Visiting

When most general users go to a website the probably don’t realize that they may be making requests out to many locations. In the case of The Verge’s main page they are making request out to the following domains for images and javascript.

  • http://www.google-analytics.com
  • ajax.googleapis.com
  • apis.google.com
  • ad.doubleclick.net
  • platform.twitter.com
  • cdn0.sbnation.com
  • cdn1.sbnation.com
  • ox-d.sbnation.com
  • tags.crwdcntrl.net
  • fonts.sbnation.com
  • bs.serving-sys.com
  • cdn3.sbnation.com
  • http://www.facebook.com
  • p.typekit.net
  • edge.quantserve.com
  • aperture.displaymarketplace.com
  • static.chartbeat.com

The more technical the reader is the more likely they are to understand that a visit to a website is probably going to include many requests to many different sites. The above list of domains are pretty normal. Facebook, Twitter and Google for social networking. Ad companies to show ads. Tracking companies for analytics. And the use of a CDN (content delivery network) is a pretty common practice for web applications which encounter high load. Nothing to see here, right?

Maybe a little

By including these domains there is an amount of trust given. If any of those third party sites encounter a security issue then the site doing the including could be affected. In this case it was sbnation.com’s reputation which was causing an issue. At one point Google’s Safe Browsing system identified malware being hosted on sbnation.com which means it is going to flag a requests to the domain as a possible problem. In fact, here is what Google Safe Browsing had for sbnation.com:

What happened when Google visited this site?
Of the 8071 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-09-17, and the last time suspicious content was found on this site was on 2012-09-16.
Malicious software includes 8 trojan(s), 2 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including 63.143.*.0/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including u******.net/.

This site was hosted on 26 network(s) including AS29791 (VOXEL), AS36089 (OPENX), AS11855 (INTERNAP).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, sbnation.com appeared to function as an intermediary for the infection of 3 site(s) including ml****.com/, fa******.com/, f*******es.com/.

(Source – Asterisks added)

Because sbnation.com had a malware associated with it recently The Verge, who was using sbnation as a CDN, had it’s threat level raised. It’s even pretty obvious via the red warning that Chrome was giving users. “www.theverge.com contains content from cdn0.sbnation.com, a site known to distribute malware”. If you are interested in what the errors looked like to users check out the thread that was going on the verge’s forums.

Was the situation dangerous?

I have a feeling in the above case it probably wasn’t. The cdn is probably used in a lot of different sites and the content in use is likely uploaded by the first party but, to be honest, I didn’t look into it as it’s an example of what can go wrong and not the the meat of the post. But it still isn’t the best position to be in. If users want to be protected then having a system like Safe Browsing warn them that a third party  host in use by the first party has been noted as distributing malware is probably a fair result.

Is including remote content really about trust?

Yeah, it kind of is. Let’s say there is a web application that allows you to get feedback on your site simply. All you need to do is drop in a small bit of javascript referencing the service and you will be set! Your all done and can have a drink to pre celebrate the great feedback you’ll get. But what if the developers create a terrible bug in the javascript you are including or, worse, something happens to the server that is hosting the javascript you now include? By adding in content from the third party you are trusting their security level matches or surpasses your own. You are also trusting that any third parties they are using meet or exceed your security level as well. If any/all third parties do not meet or exceed your standards then your users/visitors and brand (if applicable) could take a hit.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s