Google has warned DoubleClick customers that some of the files provided by third-party vendors through its advertising platform can introduce cross-site scripting (XSS) vulnerabilities.
The tech giant has shared a list of more than a dozen advertising firms whose files are vulnerable to XSS attacks. The company has advised website owners and administrators to check if the files are present on their server – they are typically hosted in the root domain – and remove them.
“We have disabled these vendors where possible for all DoubleClick for Publishers and DoubleClick Ad Exchange customers. However, any of the mentioned files hosted on your site may still pose a risk and should be taken down. We will notify you as we learn more,” Google said.
The issue was brought to light earlier this week by a researcher who uses the online monikers “Zmx” and “Tr4L.” He is an employee of IDM, a company that specializes in solutions for managing, delivering and monetizing content. The firm uses the problematic iframe buster kit, which led to the discovery of the vulnerabilities.
A proof-of-concept (PoC) provided by Zmx shows how these XSS bugs can be triggered:
Zmx told SecurityWeek that he disclosed his findings via the Full Disclosure mailing list on Tuesday without notifying Google “because he is lazy.” It’s unclear if Google’s alert to customers comes in response to the researcher’s post or if it learned about the flaws from other sources. We have reached out to Google for clarifications and will update this article if the company responds.
Zmx also pointed out that there are several other problematic iframe buster kits for expandable ads that may not be provided by Google. The vulnerable kits identified by the researcher and not included in Google’s list come from Undertone, Interpolls and IgnitionOne (netmng.com).
UPDATE. Google has provided the following statement to SecurityWeek:
“We have disabled these vendors, removed these files, and added instructions in our help center to help publishers manage any additional steps to help ensure their users are secure.”