Multiple iframe busters have been removed, but many are still likely being used on top sites

Advertisements on websites may have just become even more annoying, after a security researcher discovered multiple vulnerabilities in a popular ad delivery technique that could lead to a cross-site scripting (XSS) exploit.

The issue, according to Randy Westergren, originates with iframe busters – HTML files that help dictate how a web advertisement is viewed, or engaged, by a user.

This technique, which helps to embed content within a web page, allows ad vendors to bypass the site’s same-origin policy (SOP) in order to make ads bigger while still redirecting a user to a desired domain.

Busters are vendor-specific, which means that a site can effectively host various third-party scripts in order to get the ad to function accordingly. Google, for instance, has released extensive guidance on how to securely implement these iframe busters.

In 2017, however, the tech giant warned clients of its ad service DoubleClick that some of the HTML and JavaScript files recommended for displaying ads outside of an iframe were susceptible to XSS vulnerabilities.

Google removed these third-party vendors as they would have allowed for attackers to inject malicious code and circumvent access controls to a site.

“I decided to review some of the remaining busters as well as the more popular ones not used by DoubleClick,” said Westergren, writing in a blog post. “I identified DOM-based XSS vulnerabilities in most of these busters.”

A lot of the vulnerabilities found, Westergren said, was due to weak whitelist implementation – the restrictions definining which domains should be granted access.

In the Adform iframe manager, for example, “the URL must start with https:// and end with {almost_anything},” Westergren said.

“With the exception of forward slashes, any other characters are allowed in between. Due to this poor restriction, bypassing the whitelist is easy for an attacker.”

Westergren lists numerous examples of how certain iframe buster code permits attackers to compromise a domain. Many, he said, are still being used on top ranking sites, including Eblaster, Adtech, and Jivox.

Google immediately removed the vulnerable files from its iframe buster kit following Westergren’s report to its security team, but many of them are still likely being used by ad services, putting visitors to the site’s that do at risk.

This is far from the first time that ads have been used to introduce malicious code onto a website.

In October last year, for instance, The Daily Swig reported how millions of Pornhub users had been targeted in a malvertising campaign for over a year.