There has been a great deal of talk about the poor coding efforts of Wheedle.
This post is about another woeful coding effort, this time from Scoop.co.nz. This has all the hallmarks of the infamous Labour Party screw up with their website but with a very real risk in this instance of someone placing malicious code within sites that are having ads served by Scoop.
To be extremely clear before I go into the story. I have not hacked or performed any hacking of Scoop or any other site. The aderver is completely open to the public and searchable via Google.
I also shared my discovery with some media so as to protect myself from accusations of hacking. You simply do not need to perform any such illegal activity as Scoop has left the door wide open and the keys in the ignition.
I was searching on Google for some details about adservers for a project I am working on and stumbled upon something that is very concerning about the set up of Scoop’s adserver. For a start to you can google it. (Image of search).
Even basic protections like creating a disallow for the folder that contains the adserver in their robots.txt have not been perfomred. That is not security, rather it is obscurity that at the very least would have hidden the adserver from search results.
Once you find it however, then you have unfettered administrative rights to the entire adserver:
I was able to view their entire adserver setup:
Including settings for individual ads:
Access and edit live ads:
Control which sites they would appear on:
Create new campaigns:
Place new ads:
And ad code including iframe code that would allow me, or anyone else for that matter to place malicious code within sites that Scoop delivers ads to:
This line in their source calls code into an iframe:
<iframe id=”ad_50767E148AB1_SCSG” align=”center” src=”/xl?c=SCSG;iframeid=ad_50767E148AB1_SCSG” width=”988″height=”26″ frameborder=”0″ marginwidth=”0″ marginheight=”0″ vspace=”0″ hspace=”0″ scrolling=”no”>
Because the content of that iframe is editable, anyone could inject their own malicious code to distribute malware etc. You could happily play havoc without them being any the wiser.
To prove my point I have placed ads on Scoop and on The Standard…ads they really wouldn’t want on there, but I could do it nonetheless, without any hacking.
On The Standard:
This is very shoddy work from Scoop Media. If I had my advertising with them I would be distinctly unhappy that they had potentially exposed my site to the risks of malicious code. If I was an advertiser I’d be more unhappy that all my campaign details are there for all to see.
One wonders what other security holes exist on Scoop’s website.