Update Cloud-based web host Wix.com is vulnerable to a DOM-based cross-site scripting vulnerability that can give attackers control over any of the millions of websites hosted on the platform.
Austin said Wednesday the vulnerability was still unpatched despite repeated attempts to warn and notify Wix.com since early October. On Thursday Wix.com representatives sent Threatpost a brief statement stating the problem has been solved.
“We take the security of our customers very seriously. After thorough examination we can state that the issue has been addressed. We do operate a formal bug bounty program and are taking steps to widen the community,” said Matt Rosenberg, Wix.com spokesperson. According to Wix.com’s own estimates, there are 86 million users of its platform.
Unlike traditional cross-site scripting exploits, where a payload is dropped onto a page in response to a HTTP(S) request, DOM-based XSS attacks modify the Document Object Model environment in the browser used by client-side script, and malicious code affects the execution of client-side code, according to OWASP.
“Administrator control of a Wix.com site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it,” Austin said.
Worse, Contrast Security said, using this flaw a cybercriminal could expand on the attack, turning it into a worm that spreads across all Wix sites, similar to the notorious 2005 Samy worm or MySpace worm – designed to propagate across the social-networking site.
“If the MySpace worm is any guide, taking over all the millions of websites hosted at Wix wouldn’t take very long,” Austin said.
This story has been updated Thursday 9:00 a.m. ET with a comment from Wix.com’s Matt Rosenberg.