Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Found In OpenX Ad Platform

Posted by Soulskill on from the eroding-what-little-trust-exists dept.

mask.of.sanity writes "A backdoor has existed for at least seven months in a platform sold by OpenX, the self-described global leader of digital advertising which counts the New York Post, Coca Cola, Bloomberg and EA among its customers. The backdoor was contained within the official OpenX package and recently removed. Security researchers say it meant those who downloaded the compromised software could have provided attackers full access to their web sites."

11 of 43 comments (clear)

  1. Re:Would you steal a Car? by xQuarkDS9x · · Score: 2

    So pretty much Malware ads only with full websites
    Also EasyList Blocks the Sucuri site

    And this is why I tell friends and family to run Adblock plus and keep it updated so you have a lot lower chance (if any) to see ads from websites you *believe* are safe delivering malicious code via ads.

    --
    You must master your joystick like a fisherman masters bait! - Gimpy
  2. interestingly, has always been open source by Trepidity · · Score: 4, Interesting

    OpenX makes an interesting example of a technically open-source project that fails to benefit from open-source much at all. It's GPL'd, but they don't support any kind of public development (no public revision-control systems or anything), and they even make you register to download the source. The page where you do so mostly just tries to convince you not to do so. A third-party site mirrors the open-source version for no-login downloads, but it seems just out of personal interest, since he's the developer of a predecessor to OpenX. It's not clear there is anybody who cares about this codebase or ever looks at it outside the company. Hence, technically open-source, but trying as hard as possible not to be.

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    1. Re:interestingly, has always been open source by Karzz1 · · Score: 3, Interesting

      While there are certain hurdles, there certainly is an officially supported revision-control system: https://svn.openx.org/

      Having said that, I don't see much there that is newer than the official "community" release.

      --
      Beware of he who would deny you access to information, for in his heart he dreams himself your master.
    2. Re:interestingly, has always been open source by pHalec · · Score: 3, Informative

      OpenX has been through many twists and turns. I started using it with my employer when it was called phpAdsNew; it then became OpenAds; then OpenX.

      It gradually went from a passably supported and FOSS-minded project to a hybrid model, with the FOSS part atrophying very quickly. It became clear to us that this was a liability and we stopped using it. We're now actively avoiding hybrid models like this.

      Finding a 7-month-old backdoor vindicates our suspicions.

    3. Re:interestingly, has always been open source by wimg · · Score: 5, Interesting

      I'm the third party you're talking about, the developer of phpAdsNew. Sadly, things took a turn for the worse when the company OpenAds (now OpenX) decided to make a business out of the advertising server. Although they've made a lot of money, the open source version has been neglected completely.

      I put the download page online because I didn't like the fact that you had to register, but I'm haven't been involved in the project since 2002, so there's not much I can do about this shameful bug.

  3. Everything has "Hidden Backdoors" in it... by dryriver · · Score: 2, Interesting

    ... its just a question of how long it takes - how many months or years - for the backdoor's existence to become public knowledge. ---- Once the backdoor is revealed to be there, of course, the whole thing is spun as an "unintentional software/system vulnerability". ---- Nobody ever admits that the backdoor was put where it is very much on purpose, and WITH/FOR a purpose... =) My 2 Cents...

    --
    Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
  4. Another reason to hate web2.0'horrea by al0ha · · Score: 3, Insightful

    Cross domain advertising JavaScript is sooooo lame, it's required the removal of basic security implemented way back in browsers and opened the door to all kinds of miscreant behavior. I despise the Internet as a vehicle of advertising commerce.

    The Internet was conceived to share ideas and information, everything else is utter BS in the name of money grubbing.

    --
    Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
  5. Re: Would you steal a Car? by 0123456 · · Score: 4, Insightful

    Ha-ha-ha.

    At work we have a PC which runs with no ad-blocking. Opening a web site often involves staring at a blank window for thirty seconds or more with a status bar saying something like 'Waiting for ads.bollockx.com'.

    If the web wasn't such an ad-infested Swamp Of Suck, people wouldn't be blocking them.

  6. Re: Would you steal a Car? by Russ1642 · · Score: 2

    Demonstrating the Heisenberg joke principle. Explaining or measuring the funniness of a joke instantaneously makes in no longer funny. (Also applies to sarcasm)

  7. Re:Would you steal a Car? by KiloByte · · Score: 2

    EasyList has a serious flaw: it doesn't add EasyPrivacy by default. Spying servers are nearly as likely to contain extra risks as ad ones.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  8. Ad blocking by pe1chl · · Score: 2

    I had already blocked all ads served by openx servers (by URL regexp) long before this, after a couple of bad happenings on ad sites running openx.
    It apparently is an unreliable platform. This finding only proves that.
    However, I also think the ad platforms should make 5 steps back to become credible and acceptable again.
    An ad server should be called from some customer-specific URL on the website and then serve a JPG or PNG with the ad. Period.
    All the hoopla with javascripts fetched from different places, iframes, active content (like flash) etc has made it into an unreliable
    piece of junk that just asks for being blocked. When I block it, they should not blame me but blame themselves.