stock photo via unsplash.com

Forced mobile redirects are perhaps the most pervasive ad security concern today for both publishers and consumers of digital content. In fact, apart from deceptive in-banner video campaigns, it’s the number one inbound concern we see from our customers here at Confiant. It’s an issue that is well known and documented. Here’s a twitter search for “malicious ad”:

https://twitter.com/search?f=images&vertical=default&q=malicious%20ad

While some of the bad actors pushing redirects do layer on sophisticated elements of obfuscation in order to evade detection, most of the time it’s this one little loophole at the heart of it all:

window.top.location = “http://[redirect]”;

In order to fully understand why this is possible from a display ad, and why removing this feature entirely is not a viable solution to the problem, we need to learn a couple of things about browser security, namely the Same-Origin Policy.

The Same-Origin Policy is a (non-standardized) ruleset that dictates what level of access embedded web elements have to their parent, and vice versa. “Origin” is determined by several factors, but at a high-level we can just think of it as the top-level domain. This is important, because contemporary websites are advanced applications that typically consist of third and fourth-party components all on one page. Think: embedded media, external forms, social widgets, SSO, ads, etc.

So if for example, website abc.com has a widget from xyz.com in the side panel, the widget is not able to access the parent site’s DOM, because the two top-level domains don’t match. Before we move on, let’s be explicit about why there is an immutable need for this rule:

If Cross-Origin elements are able to access each other, then third party cookies, authentication, and sensitive data can be easily and unequivocally compromised.

For example, you know how your gmail account leaves you logged in so that you don’t have to enter your password every single time you navigate to the site? Now imagine a sophisticated attacker is able to embed gmail.com in an invisible iframe on his malicious website. If you land on that malicious site while authenticated with gmail, and his code can read the contents of that iframe, then it’s game over for the integrity of your email account. What if instead of gmail it was your checking account? Conversely, in a world without the Same-Origin Policy, an attacker’s malicious code can break out to read and impact the parent page. Imagine the wrath of bad campaigns in a world like that?

At this point, let’s ask the obvious question to ask:

If the Same-Origin Policy prevents cross-domain objects from accessing each other, then why can we set window.top.location from a cross-domain iframed ad?

What we have here is actually an intentional exception to the rule, and for good reason. The crux of it is that despite all the mitigations afforded by a browser’s enforcement of the Same-Origin Policiy, iframes still continue to pose a security threat. Let’s take a look at an attack called Clickjacking as an example:

https://en.wikipedia.org/wiki/Clickjacking

Clickjacking is a “UI redress” tactic whereby an attacker can arrange a malicious site in such a way that a visitor’s clicks actually land on a hidden element that they might not be aware about. What if that element is an iframed banking website that the user is authenticated on? What if the click lands on the “send now” button to transfer some funds away? It’s for this reason that websites need an ability to break out of iframes, and the mechanism by which they do so is window.top.location.

Yes, the irony should not be lost on us that the very vehicle that allows bad actors to hijack your browser is in fact a mis-appropriation of a security feature — but does this mean we’re doomed forever?

I’m actually quite optimistic that this loophole will become deprecated as browser security evolves and becomes standardized. We are already well under way with things like X-Frame-Options and Sandboxed Iframes, but until these things find ubiquitous adoption and ad-tech catches up to perform equally in sandboxed placements, the game of whack-a-mole with the bad actors will carry on.

Archive: This article was originally published on the Confiant Medium blog on October 30, 2017