Main

Including remote scripts

26 April 2008


Many popular services online give out code snippets to place on your site for various reasons. Usually there's nothing wrong or dangerous about it, however, sometimes the opposite is true.

Take the insanely popular Google Adsense service. The idea is awesome, the implementation however - not that much. There is one line of code that scares me in particular:

<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js">


How incredibly insecure is that? By placing Google ads on your website you are pretty much putting your security in Google's hands. If an attacker would gain control over the cluster that hosts the "show_ads.js" file, we could be talking about the largest mass-deface in the history of the internet. Worse, the attacker could quietly collect cookies from thousands of websites, and then commit massive identity theft (although, technically, the amount of traffic involved may be overwhelming).

To tell the truth, I can't exactly claim I never did the same mistake. Actually, I have the Google Analytics script embedded into all of my pages right now.

I guess you can agree with me when I say that the chances of Google getting hacked are close to 0. Consequently, I'm not planning to remove the Analytics script from my site anytime soon. However, Google aren't the only ones who ask their users to include remote scripts.

Don't believe me? Take another example. Digg.com. Guess what's their solution for placing a "digg it" button on your site?

<script src="http://digg.com/tools/diggthis.js" type="text/javascript"></script>


Yes, you can argue that digg.com is a pretty secure place as well, sure you can, however that would be missing the point. By placing this code on your page, you're trusting the admins of another site to be responsible for your site's security.

What's the solution? Iframes, maybe. Giving out the script files for local inclusion, maybe. Anything other than including code from servers that the user isn't responsible for.

I doubt anyone that manages services such as Google Adsense will ever read this post, but if you're someone who's including remote scripts on a website, always remember that what you're doing is insecure.

Oh, and P.S.
Flash (swf) ads can also run scripts. Guess how many websites embed those remotely?

Posted by: kGen | In category: Webappsec | Comments (0)