Forgot your password?
typodupeerror
Security Advertising

Backdoor Found In OpenX Ad Platform 43

Posted by Soulskill
from the eroding-what-little-trust-exists dept.
mask.of.sanity writes "A backdoor has existed for at least seven months in a platform sold by OpenX, the self-described global leader of digital advertising which counts the New York Post, Coca Cola, Bloomberg and EA among its customers. The backdoor was contained within the official OpenX package and recently removed. Security researchers say it meant those who downloaded the compromised software could have provided attackers full access to their web sites."
This discussion has been archived. No new comments can be posted.

Backdoor Found In OpenX Ad Platform

Comments Filter:
  • So pretty much Malware ads only with full websites Also EasyList Blocks the Sucuri site
    • So pretty much Malware ads only with full websites
      Also EasyList Blocks the Sucuri site

      And this is why I tell friends and family to run Adblock plus and keep it updated so you have a lot lower chance (if any) to see ads from websites you *believe* are safe delivering malicious code via ads.

      • by KiloByte (825081)

        EasyList has a serious flaw: it doesn't add EasyPrivacy by default. Spying servers are nearly as likely to contain extra risks as ad ones.

        • I use adblock plus and ghostery... though I specifically unblock google ads, and disqus... the rest is pretty much blocked... it's annoying when certain sites won't work with them enabled (I just move on).
  • by Trepidity (597) <delirium-slashdot@@@hackish...org> on Tuesday August 06, 2013 @03:07PM (#44490445)

    OpenX makes an interesting example of a technically open-source project that fails to benefit from open-source much at all. It's GPL'd, but they don't support any kind of public development (no public revision-control systems or anything), and they even make you register to download the source [openx.com]. The page where you do so mostly just tries to convince you not to do so. A third-party site mirrors the open-source version [opensource.be] for no-login downloads, but it seems just out of personal interest, since he's the developer of a predecessor to OpenX. It's not clear there is anybody who cares about this codebase or ever looks at it outside the company. Hence, technically open-source, but trying as hard as possible not to be.

    • by Karzz1 (306015) on Tuesday August 06, 2013 @03:16PM (#44490515) Homepage
      While there are certain hurdles, there certainly is an officially supported revision-control system: https://svn.openx.org/ [openx.org]

      Having said that, I don't see much there that is newer than the official "community" release.
    • Re: (Score:3, Informative)

      by pHalec (31694)

      OpenX has been through many twists and turns. I started using it with my employer when it was called phpAdsNew; it then became OpenAds; then OpenX.

      It gradually went from a passably supported and FOSS-minded project to a hybrid model, with the FOSS part atrophying very quickly. It became clear to us that this was a liability and we stopped using it. We're now actively avoiding hybrid models like this.

      Finding a 7-month-old backdoor vindicates our suspicions.

      • by sr180 (700526)

        Yes - its been exploited to. I admin a site - and we were hit quite hard by this. Im amazed that its taken this long for the exploit to be acknowledged.

    • by wimg (300673) on Tuesday August 06, 2013 @05:11PM (#44491705) Homepage

      I'm the third party you're talking about, the developer of phpAdsNew. Sadly, things took a turn for the worse when the company OpenAds (now OpenX) decided to make a business out of the advertising server. Although they've made a lot of money, the open source version has been neglected completely.

      I put the download page online because I didn't like the fact that you had to register, but I'm haven't been involved in the project since 2002, so there's not much I can do about this shameful bug.

  • by dryriver (1010635) on Tuesday August 06, 2013 @03:10PM (#44490461)
    ... its just a question of how long it takes - how many months or years - for the backdoor's existence to become public knowledge. ---- Once the backdoor is revealed to be there, of course, the whole thing is spun as an "unintentional software/system vulnerability". ---- Nobody ever admits that the backdoor was put where it is very much on purpose, and WITH/FOR a purpose... =) My 2 Cents...
  • by al0ha (1262684) on Tuesday August 06, 2013 @03:14PM (#44490495) Journal
    Cross domain advertising JavaScript is sooooo lame, it's required the removal of basic security implemented way back in browsers and opened the door to all kinds of miscreant behavior. I despise the Internet as a vehicle of advertising commerce.

    The Internet was conceived to share ideas and information, everything else is utter BS in the name of money grubbing.
    • I happen to prefer web-based applications to desktop apps (for most use cases)... this is essential to JS etc... Public facing web-apps are generally very useful as well... the problem is those that subvert the use... When I saw the first popover X-10 camera advertisement, I knew it was down hill from there.
  • "Security researchers say it meant those who downloaded the compromised software could have provided attackers full access to their web sites."

    "Security researchers say it meant those who downloaded the compromised software undoubtedly provided attackers full access to their web sites."

    There...fixed that for you.

  • It is fixed in 2.8.11
    http://forum.openx.org/index.php?showtopic=503521628 [openx.org] has openx's response.

    Quick check on your servers by going to the openx base directory and doing an md5:
    md5sum \
    plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js \
    plugins/deliveryLog/vastServeVideoPlayer/player.delivery.php \
    lib/max/Delivery/common.php

    These md5's match the problem files:
    558c80e601fb996e5f6bbc99a9ee0051 plugins/deliveryLog/vastServeVideoPlayer

  • by pe1chl (90186) on Wednesday August 07, 2013 @03:28AM (#44495041)

    I had already blocked all ads served by openx servers (by URL regexp) long before this, after a couple of bad happenings on ad sites running openx.
    It apparently is an unreliable platform. This finding only proves that.
    However, I also think the ad platforms should make 5 steps back to become credible and acceptable again.
    An ad server should be called from some customer-specific URL on the website and then serve a JPG or PNG with the ad. Period.
    All the hoopla with javascripts fetched from different places, iframes, active content (like flash) etc has made it into an unreliable
    piece of junk that just asks for being blocked. When I block it, they should not blame me but blame themselves.

A LISP programmer knows the value of everything, but the cost of nothing. -- Alan Perlis

Working...