What risks should I be aware of before allowing advertisements being placed on my website?

Question

The thought of having a 3rd party send javascript, and images to end users seems to be a scary thought, but that is exactly what we are doing when I place advertisements onto my site.

1. Does serving advertisements from AdSense, or any of the online marketing companies decrease the safety of my browsing session?

2. What is the maximum damage a malicious advertisement could do?

3. Suppose my business model requires serving ads, how can I safely serve advertisements on my site? What precautions can I take?

Answer 1

Yes. Serving advertising is opening yourself up to attacks from the marketing company, or any of their middleman, etc.

There are two ways you can serve advertisements. One way is to put the advertisement in an IFRAME. The second is to include it inline, via SCRIPT SRC=.

• An iframed advertisement is safer: it is walled away from the rest of your page by the same-origin policy. While the ad can still serve unsavory content, display spoofed content, or try to exploit vulnerabilities in the user's browser (in a drive-by download attack), it cannot tamper with the content on the rest of your site or the user's interaction with your site. However, because the iframe limits what the ad can do (it cannot look at or interact with the containing page; it cannot do expando ads and the like), advertisers generally pay less for these kinds of ads.

• An inline (SCRIPT SRC=) advertisement is a greater danger. If the ad were malicious, it could completely take over your site: it could steal session cookies, plant a keylogger, steal the user's password, disrupt the site's appearance, grab personal information from the user and forward it off-site, spoof user actions, plant unsavory content on your site, etc. Therefore, if you use this method of including ads on your site, you are placing total trust in the advertising company and everyone they do business with.

  Similarly, you can embed a Flash ad in your web page. This poses similar risks.

Malicious ads have been seen in the wild. In 2009, the visitors to the New York Times web page were attacked by a malicious ad that was being served on the NYT pages and that showed a fake A/V alert (technical details and more details); the attacker bought coverage for his/her ad by pretending to be a customer of the NY Times. Apparently, the FoxNews website has also been attacked by a malicious advertisement, as has MySpace, Excite, Expedia, Rhapsody, MayoClinic, Bing, Yahoo, the London Stock Exchange (details), eBay, Doubleclick, MSN, Spotify, Drudge Report, and undoubtedly others.

There have been some studies of the prevalence of malicious ads. Dasient estimated that three million malicious advertising impressions were served per day in 2010.

In principle, there are technical defenses. For instance, Yahoo's AdSafe is a restricted subset of Javascript, designed to allow advertisers to build rich media ads (written in Javascript) that can be embedded directly into the page (via SCRIPT SRC), while maintaining security. However, AdSafe has not caught on, and advertising networks have been reluctant to adopt technical defenses. Instead, they rely upon their vetting of their clients -- which can be fairly cursory. There are also some other approaches that might be applicable, including Google Caja, Microsoft's Web Sandbox, and sandboxed iframes, but I'm not familiar with whether they can be readily applied to typical advertising scenarios.

As a result, if you accept ads, you are taking on a security risk. In many cases this risk is acceptable, particularly if the revenue stream from ads is significant enough. But I would generally recommend that, if your site is especially security-sensitive, then you should probably avoid putting ads on your pages.

Answer 2

I think it is worth to check:

• How to inject executable, malicious code into PDF, JPEG, MP3, etc.?

And the main risk is that spammers are now provide attractive "free" antispam protection spamming visitors through it instead of web sites with webmasters (owners) of web resources unaware of it.
See my article:

• New Trends in Spamming: Spam Fused into Antispam Protection with Spamming Visitors Instead of Web Sites

Those advertisers-marketors, providing antispam plugins to their external services, use different tricks to get away from being exposed:

• do not render ads to locations of webmaster /owner of web resource (site, blog, etc.), so that webmasters of "protected" resources do not see ads;
• show advertising to visitors so that they cannot be reproduced:
  • show ads selectively and intermittently (some time, to some of users);
  • show ads only once on first visit, first couple of minutes, etc.;
  • using geo-targeting and tracking;
    (do not show ads when there are no interested in that user or its region advertisers);
• etc.

Answer 3

There is another attack vector that is becoming more common, known as "malvertising": the creation of actual real advertisements that link directly to malware.

While this sort of thing is more the responsibility of the ad network provider, and not the website publisher, it is still a risk that you should be aware of, since by enabling ads on your site you could inadvertently host such things.

You can read more about it at on Wikipedia: https://en.wikipedia.org/wiki/Malvertising

You can read a news article about a specific attack here: https://www.pcworld.com/article/2086700/yahoo-malvertising-attack-linked-to-larger-malware-scheme.html