Publishers’ plug-in addiction can come back to haunt them
Publishers today have inked a Faustian pact with the third-party vendors that plug into their sites. While working with vendors gives publishers access to perks like analytics and free commenting systems, it also leaves them exposed to a host of security vulnerabilities.
Reuters found this out the hard way this week when hackers from the Syrian Electronic Army used its Taboola widget to redirect the site’s article pages to those with pro-Syria messages. The widget, which appears on thousands of sites, drives both traffic and revenue to publishers by recommending readers related content; this is why it’s a common fixture on the sites of many big-name publishers. (Digiday also uses Taboola to recommend related Digiday content.)
Beneficial or not, Taboola also served as a viable attack vector for the Reuters hackers. Because exposure is the main motivation for the SEA, going after a big site like Reuters, which gets roughly 12 million unique visitors a month, is a no-brainer. The organization’s previous big-ticket targets include BBC News, The Associated Press and The Washington Post. (The SEA previously attacked Reuters’ Twitter account in 2012.)
“These publishers have to understand that, just as they’re platforms for news, they’re also platforms for criminals and cyber terrorists to spread their messages,” said Sean Brady, vp of product management at security company Vorstack.
And Taboola isn’t alone. Last August, the SEA used Outbrain, another content recommendation widget, to take control over the content management systems of the Washington Post and CNN to redirect visitors to its own website.
“Any company that works with a lot of prominent publishers could be under attack simply because they work with those prominent sites,” said Ira Silberstein, svp of publisher operations at Taboola. Silberstein said that while Taboola had significant security measures in place, the Reuters hack showed they could do more.
The Taboola hack also exposed one of the dicier things about publishers’ sites: They have a lot of third parties plugged into their pages. A single Reuters page, for example, serves up as many as 40 widgets, tracking pixels and ad networks from sites companies like Quantcast, Bluekai and Moat. All of these bits of code could, in theory, serve as gateways into publisher sites.
“Every API that these companies offer becomes a point of potential compromise that you have to scrutinize closely,” Brady said. “Increasing the number of plugins only increases the surface area for attack.”
What’s notable about the Taboola hack, however, is that the hackers didn’t “hack” the company in the brute-force sense. Instead, hackers gained access to Taboola’s backend by tricking a Taboola employee into handing over their log-in details. Thus, the irony: Reuters wasn’t hacked because of some issue with Taboola’s code but rather because someone at Taboola couldn’t spot a phishing email. Last year’s Outbrain attack started with a similar technique.
This further complicates the picture for publishers. Similar to how marrying someone also means marrying their family, working with a third-party vendor also means trusting the security smarts of that vendor’s employees. Sometimes the weakest links are human, not technology.
“Taboola had done everything correct,” said Steve Hultquist, CIO at RedSeal Networks. “They had two-factor authentication and so on, but when someone gets phished, all that goes out the window. The human being is the weak point.”
While all of this is far outside the purview of publishers considering, say, their next commenting system, Brady said that it’s a big concern in the financial sector, where it is common for companies to vet how well their partners train employees to avoid phishing schemes. Publishers, it seems, could benefit from taking the same approach.
Meanwhile, it’s business as usual for Reuters, which is still running Taboola’s widget despite the hack.
‘We’re netting out with higher revenue’: Publishers reaping the benefits of Snapchat’s strong second half
With CPMs up as much as 20% year over year in the fourth quarter, many Discover publishers are bullish on the upstart platform for next year.
How Cosmo is building brand affinity with younger audiences through its focus on commerce
Cosmopolitan's focus on e-commerce through a line of branded wines and its own shopping holiday has led to a 254% increase in product sales.
‘Go to market faster’: The Washington Post’s Arc goes outside the tent for payment and data integrations
Subscriber revenue has become more of a priority to the Washington Post's Arc clients since it launched its subscription tools last year.
SponsoredPublishers will lead the charge as cookie-less advertising becomes the norm
Steve Wing, managing director, EMEA, Magnite As the advertising industry moves closer to a cookieless world — one in which browserless environments including connected TV (CTV) and mobile in-app are an increasingly large part of ad budgets — publishers will have an increasingly important role in developing the future of identity. Segment creation and identity […]
‘Profitability in the back half of next year’: BuzzFeed CEO Jonah Peretti (and Verizon Media CEO Guru Gowrappan) on their big merger
A special Digiday podcast episode features Interviews with BuzzFeed CEO Jonah Peretti and Verizon Media CEO Guru Gowrappan.
‘People have had permission to experiment’: Pandemic expedites rethink on 9-to-5 work structures
Starting out as a short-term fix to weather the coronavirus storm, employers are seeing work hours outside the traditional 9-to-5 week as a new normal.