Skip navigation

Security Sense: The Security Implication of Ads (and how ad networks have wrecked it for everyone)

So it looks like it’s now all come to a bit of a head. Ads, that is, and more specifically the blocking of them and the subsequent retribution being dished out to those using blockers by the sites that are losing their valuable ad impressions. I can’t help but think when looking at how the whole thing has unfolded over the last few years that there’s some blame to be spread all around but frankly, a heap of it has to be dumped on the ad providers themselves and their attitudes to security.

I totally get the need for ads; publishers (such as the one you’re reading this piece on) had long since relied on revenue streams that were increasingly drying up and clearly they needed to adapt. Ad supported material makes a lot of sense in that readers still get their content and publishers still get to pay the people who create it whilst also keeping all the lights on. There’s a symbiotic relationship in there somewhere when each party is getting what they need.

But then you bring in the ad networks who whilst having a valuable role to play, have really dropped the ball on the security front time and time again. For example, we’ve seen many cases of malware being delivered by ad networks not because the networks themselves have been intentionally malicious, but because they haven’t been organised enough to stop scammers using them as a delivery channel for it.

Another example is the plethora of cross site scripting (XSS) risks they’ve inadvertently introduced into otherwise secure websites. Just the other day it was troyhunt.com that fell victim, although fortunately it was discovered via a fellow security pro and not by someone with malicious intent. Here’s a case where the ad provider had fallen victim to one of the oldest security tricks in the book and by them not having their shop in order, their vulnerability was introduced into my website.

The other one I’ve seen my site hit with numerous times before is ad networks redirecting mobile clients to their respective app stores. So here you have someone going to a page on my site then wammo – now they’re being asked to buy Clash of Clans. This is a well-documented security risk known as an unvalidated redirect or forward, in other words the malicious actor (in this case the ad network) is exploiting the inherent trust someone has in a site (such as mine) to then present them with something entirely different when they go to that site.

As much as I want my ad revenue, I can totally understand why consumers are opting for ad blockers. It’s not just security, it’s the full screen ads you now have to click through on certain sites, the plethora of “Try this one old trick…” bait advertising and the performance impact of redirect within iframe within redirect within iframe within… well, you get the idea. And that’s before you even get to the privacy implications of trackers. Compounding the whole debate is the recent trend of sites degrading (or denying) the experience for people with ad blockers in the one corner, then in the other corner you’ve got ad blockers becoming more mainstream than ever with iOS 9 now supporting them.

Here’s an idea for the ad networks: clean up your act. Publishers want the revenue and most consumers are happy to have ads when they don’t degrade their experience in any tangible way. Until this happens, the lousy security and performance impact of ads are going to increasingly drive consumers to ad blockers, publishers to denying their content to “freeloaders” and frankly make the web a worse experience for all of us.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish