Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Millions of DIY websites made with Wix tool are at risk of hijack

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

November 3, 2016

We just learned today that millions of do-it-yourself websites built with the Wix help tool were at great risk of hijack and compromise thanks to a brief zero day DOM-based cross-site scripting security vulnerability.

Wix claims that about 87 million users have made their websites with its popular tool, among them about two million paying subscribers.

Contrast Security researcher Matt Austin discovered the security flaw he rates as severe, and he attempted to get Wix to patch it under quiet private disclosure since the last 2 to 3 weeks.

He says he heard nothing back from the web company other than an initial receipt of the disclosure on October 14 after three subsequent update requests.

Some checks appear to confirm that the security flaws have been quietly shut down after Austin's public disclosure, however. Wix has been contacted for comment. We're still waiting to hear from them.

Austin asserted in his disclosure: "Wix.com has a severe DOM cross-site scripting security vulnerability that allows an attacker complete control over any website hosted at Wix."

"Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website. Administrator control of a wix.com site could be used to widely distribute malware, viruses, create a dynamic, distributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it," he warned.

Furthermore, more attack scenarios awaited attackers who either discovered the security flaw before Austin or simply spotted his disclosure before Wix could patch it.

Austin says that the attackers could have:

  • Changed the content of a hosted website for targeted users;
  • Challenged the user for their Wix username and password;
  • Asked the user for their Facebook or Twitter username and password;
  • Attempted to trick users of the site in downloading malware and executing it;
  • Generated ad revenue by inserting ads into website pages;
  • Spoofed bank web pages and attempted to have users log in;
  • Make it difficult or impossible to find and delete the infection;
  • Create new website administrator accounts.
  • Austin supplied then working proof-of-concept links showing the DOM cross-site scripting in action against Wix template sites.

    He also provided five additional steps required for attackers to spin the security vulnerability into a worm to hit hundreds of websites.

    The public disclosure, while made sooner than the fastest industry standard 30-day bug fix window, should serve as a reminder to all businesses with an online presence to have a process in place to handle security vulnerability disclosures.

    This should preferably include a delegated staffer to handle the security disclosures, along with security@*.com email address which is clearly visible on the business website.

    Source: Contrast Internet Security LLC.

    Sponsered ads:
    Read the latest IT news. Visit ItDirection.net. Updated several times daily.

    If you need reliability when it comes to SMTP servers, get the best, get Port 587.

    Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

    Share on Twitter.


    Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
    Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer