A severe DOM (Document Object Model) based XSS (Cross-Site Scripting) vulnerability in Wix.com could lead to an attacker gaining full control of the websites hosted on the platform, Contrast Security researchers warn.
Also known as type-0 XSS, a DOM based XSS is a type of attack where the payload is executed by modifying the DOM “environment” in the victim’s browser. Because of that, while the page (the HTTP response) isn’t changed, the client side code contained in the page executes differently, influenced by the malicious changes in the DOM environment.
Cloud-based development platform Wix.com has millions of users worldwide and allows everyone “to create a beautiful, professional web presence.” Wix claims to have 87 million registered users and over 2 million subscriptions.
Wix websites either use a wixsite.com subdomain or a custom domain, and an XSS against these won’t provide an attacker with access to the main wix.com domain and its cookies. Thus, a separate vulnerability is needed for an attacker to steal session cookies that could provide access to administrator session cookies or allow them to access administrator resources.
For that, an attacker can simply use the template demos that are hosted on wix.com, because they contain the vulnerability. Should the attacker manage to exploit an XSS on wix.com, they could do anything as the current user, including launching a worm attack.
The first step of such an attack, is to create a Wix website with the DOM XSS in an , Contrast Security explains. When a Wix user visits the infected website, a similar issue in editor.wix.com is leveraged to edit all of the user's websites and inject the DOM XSS in an . Since the site infects any logged in Wix user and adds the with the same XSS to their websites, all of the current user’s websites now host the malicious content and serve it to their visitors.
“Administrator control of a wix.com site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine crypto-currency, and otherwise generally control the content of the site as well as the users who use it,” Matt Austin, Senior Security Research Engineer, explains.
An attacker could not only change the content of a hosted website for targeted users, but could also challenge the user for their Wix, Facebook, or Twitter username and password or trick them into downloading malware and executing it. Additionally, the attacker could generate ad revenue by inserting ads into website pages, spoof bank web pages and attempt to get users to log in, make it difficult or impossible to find and delete the infection, and could even make themselves an administrator of the website.
The security researchers say they contacted Wix about the issue on October 14 but that no positive response was received so far, although the company initially said it was investigating the issue.
“Contrast Security attempted to reach Wix.com for over three weeks with no response. So we are disclosing this vulnerability in order to protect the many Wix website owners and users of these websites,” the security researcher said.
UPDATE 11/07: Contrast Security contacted SecurityWeek to inform us that Wix appears to have fixed the issue after they made the vulnerability details public:
"We published this disclosure on 11/2 at 8 AM PST. Sometime between 12 and 3 PM PST that same day, Wix appears to have resolved the problem. We can look at the update to see how they resolved this issue," Austin told us.