Hackers are actively exploiting a dangerous security vulnerability in OpenX — an online ad-serving solution for Web sites — to run booby-trapped ads that serve malware and browser exploits across countless Web sites that depend on the solution.
Security experts have been warning for months about mysterious attacks on OpenX installations in which the site owners discovered new rogue administrator accounts. That access allows miscreants to load tainted ads on sites that rely on the software. The bad ads usually try to foist malware on visitors, or frighten them into paying for bogus security software.
OpenX is only now just starting to acknowledge the attacks, as more users are coming forward with unanswered questions about the mysteriously added administrator accounts.
This problem first came to my attention after I read a blog post by infosec researcher Mark Baldwin, who wrote late last month about finding an unauthorized administrative account called “openx-manager” on one of his clients’ OpenX 2.8.8 installations, the latest version. After much investigation, Baldwin found that the rogue admin account was created virtually at the same instant that he’d last logged in to the customer’s OpenX installation.
Based on these and other findings documented in his blog, Baldwin concluded that OpenX 2.8.8 contains an unpatched flaw known as a cross-site request forgery (CSRF) vulnerability. These types of flaws can be especially sneaky because they are used to trick the victim into loading a page that contains a malicious request. CSRF attacks are most often used to force an end user to execute unwanted actions on a Web application in which he/she is currently authenticated, such as purchasing an item, or adding/deleting account information.
Baldwin told me he believes the attackers were able to add the rogue admin account to his client’s OpenX installation because OpenX contains a CSRF vulnerability that allows such actions.
I confronted OpenX officials about this on Monday. In a very brief phone call today, company executives declined to discuss the attacks in detail, but acknowledged the existence of a CSRF vulnerability in the software that powers both their free and enterprise advertising platforms. OpenX Chief Technology Officer Michael Todd said the company would soon be publishing instructions on its blog outlining steps that users can take to prevent attackers from taking advantage of this flaw, and that it hoped to roll out an official fix for its OpenX Source product, which is the free version of the platform offered to anyone who wishes to host their own digital advertising services.
“What we’re going to do early next week — on Monday or Tuesday — is release a new version of OpenX for people to download as soon as possible,” Todd said. “We’re taking an extra few days to make sure that this gets done correctly and that we’re doing all the testing we need to do before we push that out. But first, we’ll publish a mitigation post that will tell people how they can change their systems,” to mitigate the threat, he said.
OpenX’s head of communications, Al Duncan, inexplicably cut the interview short after I’d asked just two questions, so I was unable to gain clarity on other aspects of this attack, such as whether OpenX’s internal systems may have been abused in the compromises, and how long the company has been aware of the problem. I also wanted to know more about how this vulnerability differed from a similar CSRF flaw in OpenX v. 2.8.7 that was disclosed in June 2011 by researcher Narendra Shinde.
It’s unclear whether the CSRF flaw detailed by Shinde is effectively the same bug that exists in this latest version. But the attackers targeting these flaws appear to have used the same name for the rogue admin account that Baldwin discovered on his client’s OpenX installation: “openx-manager.”
Until OpenX publishes its blog post, users and customers of this product should consider reviewing the mitigation advice offered at Baldwin’s blog.
For more background on this subject, see OpenX forum posts from Nov. 2011, January 2012, March 2012, and April 2012. Internet security firms Armorize and Sophos also have been sounding the alarm about these attacks.