A man shopping online. Image by Tim Sandle, October 2020.
While the pandemic has helped to drive changes, and often improvements, to digital infrastructure, the sheer size of the Internet and its every growing history leaves many legacy systems in place. The presence of these can cause issues, and sometimes these are quite embarrassing.
Various news sites including the Washington Post and New York Magazine has ended up linking to pornographic sites. This is due to the domain takeover of a defunct video site.
The issue happened because a porn site called 5 Star Porn HD bought the domain for Vidme, which was a brief YouTube competitor founded in 2014 and shut in 2017. Its Twitter account is still up, however the domain lapsed, according to Vice Magazine.
Looking at the issue for Digital Journal is Nadav Levy, who is the product manager of external attack surface security provider Cyberpion.
According to Levy, the connection to inappropriate sites presents: “A classic example of why basic visibility into an organization’s connected third-party digital infrastructure is so important.”
With the specific case, Levy says: “In this case, the WHOIS records indicate the domain was abundant over 4 years ago which is more than enough time for the news sites to pick up on this redundant external iFrame inclusion that leads to a domain that’s available for purchase.”
He describes this as “A critical vulnerability”, and in terms of the risk when the issue is “combined with the fact the domain could end up in the wrong hands, can easily lead to a major ongoing security event or in this case we’re seeing, abuse of, and embarrassment for a company’s brand.”
However, the issue can be avoided in the future, Levy says. He states: “To prevent this type of activity, CISOs must simply start to take stock of their inventory – map and classify their assets as well as their external connections which are equally important.”
Following this, Levy says: “Once that base is covered, they should automatically scan for connected external assets that are either inactive, without a valid certificate or present error messages and if possible, go one step further and classify these external third-party assets.”
He concludes his assessment, noting: “It’s important to keep in mind that not all connections are created equal… it’s not just the WHO but also the HOW you’re connected.”