Wix.com Security Flaw Leaves Millions of Websites Vulnerable
A XSS vulnerability discovered on the Wix.com platform has putt millions of websites and their users at risk of attack.
Wix.com, a website design platform that became popular for its drag and drop templates, has 87 million registered users and even more websites hosted on their platform, all of which are currently vulnerable to an XSS bug that can be utilized by attackers to create worms capable of taking over an administrator account.
Basically, by exploiting the vulnerability, someone can take full control over any website built on the platform.
Matt Austin, a security researcher from Contrast Security, wrote in a blog post that the Wix.com platform has a server DOM XSS vulnerability that can be altered by simply adding a single parameter to any site created on Wix.com. All an attacker would have to do is add a redirection command to any URL created on the platform to successfully take over.
Attackers could also use template demos, hosted on the Wix.com domain, to gain access to admin session cookies and resources. One a session cookie is stolen; an attacker can place the DOM XSS in an iframe that will then host malicious content on any website controlled by a single operator.
Austin said that he requested to for a security contact to disclose the issue, but Wix.com replied with, “We are investigating the matter and will follow up with you as soon as possible.”