One of the things I tend to warn other developers about is the inclusion of third party content into their applications. No, I’m not talking about pulling in serialized data from trusted sources. I’m talking about simply adding “stuff on the site”. This isn’t anything ground breaking. In fact, it’s pretty obvious stuff. The news that Google was identifying The Verge as a malware host is a pretty good and well publicized example of what can go wrong. Keep in mind I’m going based on public information.
If you are unaware of The Verge here is how they define who they are:
The Verge was founded in 2011 in partnership with Vox Media, and covers the intersection of technology, science, art, and culture. Its mission is to offer in-depth reporting and long-form feature stories, breaking news coverage, product information, and community content in a unified and cohesive manner. The site is powered by Vox Media’s Chorus platform, a modern media stack built for web-native news in the 21st century.
The more technical the reader is the more likely they are to understand that a visit to a website is probably going to include many requests to many different sites. The above list of domains are pretty normal. Facebook, Twitter and Google for social networking. Ad companies to show ads. Tracking companies for analytics. And the use of a CDN (content delivery network) is a pretty common practice for web applications which encounter high load. Nothing to see here, right?
Maybe a little
By including these domains there is an amount of trust given. If any of those third party sites encounter a security issue then the site doing the including could be affected. In this case it was sbnation.com’s reputation which was causing an issue. At one point Google’s Safe Browsing system identified malware being hosted on sbnation.com which means it is going to flag a requests to the domain as a possible problem. In fact, here is what Google Safe Browsing had for sbnation.com:
What happened when Google visited this site?
Of the 8071 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-09-17, and the last time suspicious content was found on this site was on 2012-09-16.
Malicious software includes 8 trojan(s), 2 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 1 domain(s), including 63.143.*.0/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including u******.net/.
This site was hosted on 26 network(s) including AS29791 (VOXEL), AS36089 (OPENX), AS11855 (INTERNAP).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, sbnation.com appeared to function as an intermediary for the infection of 3 site(s) including ml****.com/, fa******.com/, f*******es.com/.
(Source – Asterisks added)
Because sbnation.com had a malware associated with it recently The Verge, who was using sbnation as a CDN, had it’s threat level raised. It’s even pretty obvious via the red warning that Chrome was giving users. “www.theverge.com contains content from cdn0.sbnation.com, a site known to distribute malware”. If you are interested in what the errors looked like to users check out the thread that was going on the verge’s forums.
Was the situation dangerous?
I have a feeling in the above case it probably wasn’t. The cdn is probably used in a lot of different sites and the content in use is likely uploaded by the first party but, to be honest, I didn’t look into it as it’s an example of what can go wrong and not the the meat of the post. But it still isn’t the best position to be in. If users want to be protected then having a system like Safe Browsing warn them that a third party host in use by the first party has been noted as distributing malware is probably a fair result.
Is including remote content really about trust?