
Leading 'anti adblock' provider gets hacked- pushed malware to end users - DanBlake
http://blog.pagefair.com/2015/halloween-security-breach/
======
jmount
I think I saw this. I visited a legit science or business page (don't
remember) and a windows said my "Flash player was out of date" and immediately
started downloading a Windows ".exe" claiming to be a flash installer. I am on
OSX with no Flash installed, so I know it wasn't Adobe's updater.

~~~
jmount
Remembered the url: [http://www.kalzumeus.com/2015/10/30/developing-in-
stockfight...](http://www.kalzumeus.com/2015/10/30/developing-in-stockfighter-
with-no-trading-experience/)

~~~
notfoss
They seemed to have removed the pagefair code for now.

------
0x0
And then content makers are still scratching their heads on why people please
won't stop using adblockers?!

~~~
542458
This has nothing to do with blocking ads. You'd still be affected by this hack
whether you were running adblock or not - the service is designed to be
extremely difficult for adblockers to catch except maybe on a site-by-site
basis. It's more of an argument for blocking _all_ scripts.

~~~
0x0
I'd expect any decent adblocker to already have blacklisted this and similar
services.

~~~
DanBlake
This is a service publishers use to show ads when a user has a adblocker
enabled. It works on the most popular adblocker, adblock plus
(firefox/chrome). Not sure if it works on ublock origin or ghostery/others,
but those are still a small proportion of all adblock users.

Noscript would have protected you though, which has a pretty large install
base.

------
mschuster91
This is the downside and the greatest danger with more and more centralized ad
networks.

Site owners: Market your ads directly or through smaller exchanges, and host
them yourself. This is the only viable long-term option.

~~~
itake
Is it? I hypothesize that smaller exchange have less resources to develop
secure systems. While they maybe smaller targets, I think their architecture
maybe less robust. Hence why I trust gmail to run my email rather than rolling
my own server.

~~~
djent
An image that links to the advertiser's product is really all that is needed.

~~~
stevesearer
My advertisers are happy with this approach and instead of taking a CPM or CPC
billing monthly like a billboard seems to work just fine meaning I'm not
incentivized to game clicks or views.

This is nice because it makes me want to make good decisions for the user
experience (no multi-page image galleries) which I believe will help attract
the types of visitors my advertisers want to interact with.

------
makomk
They're basically selling a content-obfuscating anti-detection system for
webpages as a service. Of course it's going to be abused to push malware.
They're just lucky the attacker wasn't more sophisticated this time around.

~~~
Tiquor
No they aren't. They aren't even an "anti adblocking" tool. They replace ads
with "acceptable" (as defined the ad block plus people BTW) ads for ad block
users.

------
aslewofmice
So the attacker got the password for a work email (and let's be honest, it was
likely a shared account amongst a department not an individual) that was used
for the CDN account hosting their serve code, where the attacker appended a
malware download link to their script running on however many sites they work
with.

And they were able to convince website owners to grant them access to
visitor's connection in order to prevent people from blocking ads? And they
were also able to convince them to pay money for this service?

------
onewaystreet
I've never seen a major website that uses anti-adblock. I've seen a few that
display a message but none that actually stop you from viewing the site.

~~~
craigds
rdio.com stops playing music as soon as it tries & fails to play an audio ad.
You can refresh the page to continue with the next song though.

Since it seems to play an ad after every song (?!) this basically prevents
ublock users from using the free version of rdio.

~~~
pavel_lishin
Hulu does something similar, but sometimes it shows ads, and sometimes it
tells me that I need to disable ad-blocking software.

I just refresh, and it usually works.

I'm not willing to disable Ghostery and uBlock, though; 12 things blocked by
Ghostery and 31 by uBlock - I don't need any of it, Hulu, thanks.

~~~
vonklaus
I will never understand how that company makes money. If you can get users to
pay you for your content, then don't try and sell your users time to someone
else. Horrible value proposition and if you have to block that much stuff they
likely sell your data as well, not to mention many premium clients are
shittier than the pirate sites. Hulu value proposition:

* Pay for content. * Still have to watch commercials. * Have data about my usage sold to highest bidder. * Video client that is not as good as putlocker (or whatever the cool kids are using these days)

it is owned by nbc, disney and fox. they still don't get that you can sell
content, sell ads, or sell nothing. Very little overlap.

~~~
TeMPOraL
It's like with Lenovo and SuperFish. Even if you have a perfectly good
business model and satisfied customer, there's nothing stopping some greedy
people to try and extract _even more_ value from their customer.

------
gorhill
> The attackers then immediately performed a password reset to hijack
> PageFair’s account on a Content Distribution Network (CDN) service that we
> use to serve our analytics javascript tag. They modified the CDN settings so
> that instead of serving PageFair’s javascript, it served malicious
> javascript.

It would have been nice that the article spelled out the exact hostname from
that CDN, to find out whether it is blocked by default by blockers.

------
r1ch
Seems like this could have been prevented if they supported subresource
integrity.

~~~
garrettr_
Not really. Since you need to know the correct hash ahead of time, Subresource
Integrity works best when you're requesting a well-known piece of static data
from a 3rd-party server, e.g. jQuery version x.y from a CDN. For a site like
Pagefair (or other sites that serve 3rd-party scripts, like Google Analytics),
the benefit of the web platform is being able to serve _dynamic_ data. You get
to upgrade your software quickly and easily, without the friction of obtaining
the cooperation of your website partners (1st party sites that included
Pagefair's scripts) or end users.

If you want to use Subresource Integrity to prevent this kind of a problem,
you need to first devise a mechanism to communicate the correct expected hash
from the 3rd party site to their 1st party customers in a trusted manner. This
is non-trivial. It adds a lot of friction to Pagefair's software development
and deployment processes (think about how you would implement A/B testing, for
example). It's also not a guarantee - if your servers can be hacked, it's
possible your "trusted hash communication mechanism" would be as well, unless
you follow stringent security protocols (human confirmation for signing,
offline keys, etc.) which would add even more friction.

Of course, you would need cooperation and involvement from your first-party
customers for SRI to be effective in the first place, and I don't know how
many of them would be thrilled to have to devote engineering resources to
fixing potential security problems caused by their partners... sounds like a
good reason to consider switching to a competitor.

~~~
kbenson
Sure it could. "It's hard" is not a rebuttal to "it's possible". That ad-
networks might need to implement a system to let content-providers review and
approve a set of ads that might be served, that have a TTL until they expire,
and generates a JS to be included in the local site with SRI hashes to be
integrated might be hard, and it also might cede some control to sites as to
exactly what ads they are willing to serve, but it's also a responsible way to
deal with ad-delivery and would in all likelihood have made this hack if not
impossible, at least much harder and likely caught and mitigated with far less
exposure. Sure it's harder on both parties (but there are benefits as well),
but sometimes things are harder because you are not longer taking unsafe
shortcuts, and I have no sympathy for that.

------
coldcode
Anyone else see a page with nothing on it on this site?

~~~
have_faith
I get the page loaded fine but with no css or javascript (it's very snappy!).
Will probably be back to normal soon.

~~~
mintplant
You might be using uBlock, then. For me it's blocking all assets on the
pagefair.com site except the contents of the page itself. Temporarily
disabling uBlock lets the rest of the page load.

