Online ad industry moves away from once prolific ads that are now deemed insecure because of DOM-based XSS vulnerabilities.

Certain types of online ads that expand, contract and pop-open aren’t just annoying – they can sometimes be dangerous. The ads in question are called expandable ads, which use what is called iFrame Busters code. The ads, together with iFrame Buster code, are designed to break the limits of a browser’s sandbox and offer advertisers in-your-face and highly effective ads.

But, researcher Randy Westergren found that many implementations of iFrame Busters are dangerous and the technical framework behind the ads that use them could be exploited by an attacker in a DOM-based cross-site scripting (XSS) attack. Adversaries could use the vulnerability as an entry point and take control of a website and steal user data. According to the researcher, an undisclosed number of iFrame Buster-enhanced ads are used on top tier domains, despite efforts by the advertising industry to move away from them.

“The XSS results in arbitrary JavaScript executing on the client-side in a first-party context. This means the code has access to manipulate the DOM, cookies, and other same-origin permissions,” Westergren told Threatpost in an interview.

An expandable ads that use iFrame Buster code are simply ads that can expand beyond the display area limits set by an iFrame. IFrame Buster is a generic term for these types of ads that have been used by dozens of online advertising firms including ones that work with Google’s DoubleClick network. It’s also important to note, the implementation of iFrame Buster advertising kits can differ greatly between vendors.

Westergren said his research was sparked in late 2017 by a Google blog posting discussing XSS vulnerabilities tied to a small number of iFrame Buster ad kits used within its DoubleClick ad network. He expanded the research, finding DOM-based XSS vulnerabilities in most iFrame Busters. Last week, Westergren disclosed his findings, singling out research on iFrame Buster kits offered to publishers by Adform (iFrame Manager 1.7.48), Eyeblaster (Add in Eye), Adtech and Jivox.

Contacted by Threatpost, ad firms Jivox and Adform said they ceased using the vulnerable iFrame Buster scripts. Eyeblaster and Adtech did not return Threatpost requests to comment for this article.

“The Adform IT Security team became aware of the potential security exploit back in December 2017…, ” said Julian Baring, general manager of Adform in an email interview with Threatpost. “Based on the information we immediately started a technical investigation and action plan to resolve the potential issue.”

He said that the vulnerability in iFrame Manager (1.7.48) was fixed in January. Jivox said it ceased using the vulnerable iFrame Busters in February 2017.

Experts contacted say it’s unclear how many sites still host the iFrame Buster kits (code) and use the technique to deliver ads. Also unclear is if this vulnerability has ever been exploited in the wild.

“This isn’t a browser issue. It is an issue with ad agencies developing their own specific busters that have XSS weaknesses,” Westergren said. “Site owners are ultimately responsible for removing the affected/vulnerable iFrame Busters since they are hosted directly on their servers.”

According to those familiar with iFrame Busters, the technique to deliver these type ads was popular several years ago and has slowly fallen out of fashion as a competing SafeFrame standard was introduced in 2014 by industry trade group Internet Advertising Bureau. There are no reported XSS issues tied to SafeFrame ads that also allow advertisers to have ads expand and contract on a web page.

Originally the iFrame Buster ads were designed to bypass iFrame sandbox limitations on ads. “[Typically an] ad cannot extend display beyond its frame size, nor can it manipulate the DOM in the top-level page due to same-origin policy,” Westergren said. “In order to work around this and allow a specific ad vendor to bypass SOP, vendor iFrame Busters (special HTML files) are often provided to be hosted on a publisher’s domain.”

Techniques vary, but exploiting each framework involves attacking a consistent DOM-based XSS flaw found in each iFrame Buster implementation.

DOM-based XSS vulnerabilities are unlike traditional cross-site scripting exploits, where a payload is dropped onto a page in response to a HTTP(S) request. DOM-based XSS attacks modify the Document Object Model environment in the browser used by client-side script, and malicious code affects the execution client-side code contained on a site. This allows attackers to run JavaScript code that bypasses the browser’s security feature called a same-origin policy (SOP).

Malicious ads, served up unknowingly by third-party ad agencies, have long been a headache for publishers. In January Vox Media, publisher of SB Nation, Vox and The Verge, posted a blog explaining to readers it was waging war against disreputable ads. “We hate these malicious ads with the fire of a thousand suns and are working actively to keep them off of our sites,” they wrote.