Scoop’s Open Source Adserver

There has been a great deal of talk about the poor coding efforts of Wheedle.

NBR broke that story and found security holes in the site of another Trademe wannabe.

This post is about another woeful coding effort, this time from Scoop.co.nz. This has all the hallmarks of the infamous Labour Party screw up with their website but with a very real risk in this instance of someone placing malicious code within sites that are having ads served by Scoop.

To be extremely clear before I go into the story. I have not hacked or performed any hacking of Scoop or any other site. The aderver is completely open to the public and searchable via Google. 

I also shared my discovery with some media so as to protect myself from accusations of hacking. You simply do not need to perform any such illegal activity as Scoop has left the door wide open and the keys in the ignition.

I was searching on Google for some details about adservers for a project I am working on and stumbled upon something that is very concerning about the set up of Scoop’s adserver. For a start to you can google it. (Image of search).

Even basic protections like creating a disallow for the folder that contains the adserver in their robots.txt have not been perfomred. That is not security, rather it is obscurity that at the very least would have hidden the adserver from search results.

Once you find it however, then you have unfettered administrative rights to the entire adserver:

I was able to view their entire adserver setup:

Including settings for individual ads:

Access and edit live ads:

Control which sites they would appear on:

Create new campaigns:

Place new ads:

And ad code including iframe code that would allow me, or anyone else for that matter to place malicious code within sites that Scoop delivers ads to:

This line in their source calls code into an iframe:

<iframe id=”ad_50767E148AB1_SCSG” align=”center” src=”/xl?c=SCSG;iframeid=ad_50767E148AB1_SCSG” width=”988″height=”26″ frameborder=”0″ marginwidth=”0″ marginheight=”0″ vspace=”0″ hspace=”0″ scrolling=”no”>

Because the content of that iframe is editable, anyone could inject their own malicious code to distribute malware etc. You could happily play havoc without them being any the wiser.

To prove my point I have placed ads on Scoop and on The Standard…ads they really wouldn’t want on there, but I could do it nonetheless, without any hacking.

On Scoop:

On The Standard:

This is very shoddy work from Scoop Media. If I had my advertising with them  I would be distinctly unhappy that they had potentially exposed my site to the risks of malicious code. If I was an advertiser I’d be more unhappy that all my campaign details are there for all to see.

One wonders what other security holes exist on Scoop’s website.

  • GregM

    Wow, this is really slack from scoop. Your mate at at the standard is going to love your header on there! Hehehe!

  • Guest

    This is an appalling lack of security by Scoop. Well done on exposing this WO.

  • JohnO1234

    LOL -whaleoil ad on TheStrandard – priceless!

  • Teletubby

    That advert on The Standard is absolute gold. You should of had it linking to here

    • Agent BallSack

      when you click it it links here. I think they are none the wiser too, stupid leftards.

  • coventry

    Ouch, this is going to hurt.

  • phronesis

    Worth turning the adblocker off just to see it.

    • Name

      I’ve used adblock for so long I forgot that there was advertising on the internet. I block all social network buttons etc, it says I’m blocking 31 items on this page alone. 49 items on NYT homepage. Its disgusting how much crap use your limited bandwidth up.

  • Richard

    That was quick, those links now go here https://newsagent.scoop.co.nz/ complete with a login screen. The cached versions are still in google though.

  • Print more money! Moar!!

    Scoop is not the only one with security issues in their advertising. About two years ago I and a few other IT professionals alerted Stuff to an ad they were running that was trying to force malware onto the viewer’s machine. To their credit the responded quickly (I think the Herald even printed a small story about it), but it showed that they weren’t vetting or monitoring the ads they were running.

  • John

    Cam – bases on this article in The Register today, you may be able to claim a bounty for discovering this sort of security hole: http://www.theregister.co.uk/2012/10/11/exploit_vulnerability_marketplace/

  • http://www.facebook.com/peter.jenkins.7927 Peter Jenkins

    Ow, that is loose. I wonder if anyone took the opportunity to surreptiously nip in and put up an ad for themselves..

  • Pingback: Ng reveals massive MSD privacy breach | Kiwiblog

64%