![]() Like if a bank had traffic junky or even facebook ads embedded they are fucking stupid and should die a painful death. The security responsibility was solely on traffic junky unless some site that used them claimed to have really good security. The sites that embedded traffic junky are not at fault. Its rare and generally the cause is that they hired cheap programmers who either don't care about security or have no skill. There can be situations where they really did do a good job and took security seriously but someone found a vulnerability in some framework they used that security audits missed. You can learn more here: (XSS)Įdit: A company falling victim to an attack like this is almost always not to be trusted. If it turns out it doesn't they are fucked. The trust that their code prevents the scripting attack in the first place. There are ways to prevent that but most sites don't bother. Remember once they get access to the server, if they are good they will just disable all the warning systems first. No one will notice unless security is good and proper warning systems are in place. Well they can just edit the payment page to not be secure and route all credit card info through their servers. But even if say payments are being processed in a way that the hacker can't get access to that info. They can deface the site for a ransom, copy sensitive data (which should be encrypted), manipulate content, etc. If the admin has access to the sites server files, bam! The script adds some code and "I am the captain now." The entire site and all its data is now in the hackers hands. It gets REALLY bad if say an admin were logged in and the script was able to run. Or I could code it to upvote all my posts lmao. Except its not really from reddit its from my script which will then send your login info to my server. But if they didn't I could post some code in this comment so that when you load any page that can see this comment, the login popup comes up. If the content is not "sanitized" or isolated correctly they can post code that when someone views that page will be run. Some sites have vulnerabilities in the comment sections or anywhere where someone can post content for others to see. If you can just get your malicious javascript to run on a trusted webpage you can do anything the user could do and more (with some exceptions). Its a very common attack vector because of how much value it is. It can make a popup that people trust because it looks like its from the site they trust when its actually fake. So for example say you have a login page. The script might have a vulnerability (ie an ad contains a malicious script and the code that loads the ad is tricked into running the script instead of just displaying it as text) or the hacker could edit the script to do its bidding. If a hacker can get control of said script, they can take control of the whole page that ad is on. ![]() There are other ways to embed ads but this is the only way that really allows the best ad experience. Some advertisement companies require sites that want their ads to embed their javascript script that adds the ads into the site. Allows content to be loaded, input monitored etc. ![]() It allows things to happen without the page being refreshed or anything. Basically when you click like or upvote? That uses javascript. So websites use a programming language called javascript to enhance pages. I think that with more information, my Macroeconomics teacher would enjoy me using it as a theme for my assignments. One last request, if anyone has any related articles on this type of hack, I would love to read them. It seems like a notable method and if it's reasonably possible, it could be really devastating for internet advertising as a whole. I was wondering how they could have made this happen, in general terms, and what information they could have actually collected. I was curious about how this hack works, I know following ads and clicking on them is a common way to put malware on a computer but from the article I was reading it sounded like they made the website itself take the information without making people click on the advertisement itself. They were active for about a year before they were caught, taking millions of users information. So I just heard about a hack that occured a few years ago, either 2016 or 2017, where a hacker group "abused" Traffic Junky's advertising system in order to put malicious advertisements on websites.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |