

The Dangers External Services Present To Your Website - cubictwo
http://blog.sucuri.net/2013/08/the-dangers-external-services-present-to-your-website.html

======
danso
So assuming this is how the attack was initiated (through an apparent phish of
an admin-level account at Outbrain), how easy is it for Outbrain to
restructure the admin console so that the editable fields are sanitized? Or I
guess the other way to ask that is...what usecase is there for an Outbrain
admin to have the ability to insert arbitrary HTML at the per-client level?

~~~
hvs
I'm certain only Outbrain can answer your question, but a full software audit
of all fields is in order. Sadly, field sanitization (and security in general)
is something that is often overlooked in the rush to get software in front of
clients. It's like not installing railings on stairways because most of the
time you don't need them and you can build the stairs faster without them.
Only nowadays, there are a lot of people trying to push you off the stairs.

------
sandycheeks
The problem is not just malicious ads.

About 3 years ago I had Chitika ads on a busy website and one day they ran a
test of their new mobile ads and accidentally turned it on for all
advertisers. As a result all of the pages that had the Chitika javascript code
on them displayed a huge ad that took up the bottom third of the viewport. It
only lasted a couple of hours but I had over 5k uniques see it and have been
extremely parsimonious with what third party javascript I put on sites ever
since.

------
herge
Is Outbrain the whole "Other articles that may interest you across the
internet" box that suggests such salient articles as "Why Shampoos Are a Waste
of Money"?

If so it is kinda ironic that their web site got hosed by one of their user's
most hated features.

~~~
danso
Outbrain is one of those vendors, there are several others that run the gamut
from good to awful (like the ones that seem to only bring up top-10-smutty
lists).

We use Outbrain at my content startup though I'm not involved in its
implementation...but when I've seen it on other sites, I've most definitely
found their links to be worth clicking through...they partner with a lot of
tip content sites (major news organizations and such) so that's to be
expected.

