Perspective on Publisher Security

AppNexus expends significant resources – technical, financial, and human – to protect publishers, advertisers, and consumers from the many potential negative impacts of the complex online advertising ecosystem. The extraordinary scale of deployed third-party widgets, including advertising tags, attracts bad actors to the advertising space to find ways to manipulate this ecosystem for profit. Our obligation at AppNexus is not just to prevent these issues for AppNexus clients, but to make sure that we protect consumers and the broader Internet ecosystem from bad actors. At its core, our mission is to create a better Internet, and consumer protection is at the heart of what we do.

Last Wednesday, Randy Westergren, a security researcher, pointed out in a blog post how many third-party widgets allow arbitrary JavaScript to be executed in a first-party context. This is a side effect of the way that the web evolved through the inclusion of third-party JavaScript to add functionality to web sites. By creating a simple and powerful way to include a third party's code in a site, we also allow the third party to execute arbitrary code. This is a very common security pattern, and one that has caused continued challenges as the Internet has become increasingly interconnected and interdependent.

The immediate issue for AppNexus was that our platform allows clients to upload creatives (ads) with macros that copy the web address into the HTML or JavaScript of the creative. This is very useful for logging where ads run, and is a popular feature of the platform. As Randy points out, a bad actor could manipulate the referrer itself and cause the macro expansion to copy and then execute arbitrary JavaScript on the first-party site.

AppNexus engineers quickly identified the potential problem and began patching the vulnerability. At 4 PM on March 4th, last Friday, we rolled out a patch globally that resolved the issue on the AppNexus platform. You can read more about the details to our fix here.

However, the larger issue remains: how can a publisher get comfortable working with third-party JavaScript that can open up potential security vulnerabilities? How do we protect ourselves from the many widgets and ad products who sound so easy to install (just copy and paste this HTML!) and yet have such a significant risk profile? Even for those that are security-conscious, as we are, the Internet is complicated and even the best engineers sometimes overlook security vulnerabilities.

I have a simple recommendation for publishers: use common sense and ask basic security questions when working with third-party vendors. Ask how the vendor reviews new JavaScript changes before they are deployed. If the vendor allows other vendors to include JavaScript – and anyone in the ad space does – ask what tools they have to screen and restrict new vendors before they can put JavaScript on your site. At AppNexus, we screen every creative through an extensive process that includes vetting through a cybersecurity and virus check before it goes live. On any given day we'll run millions of scans and block hundreds, sometimes thousands, of creatives that go against our policies. We also actively blacklist vendors to protect our publishers and consumers.

In summary, I believe that Randy's blog post was a timely wake-up call for all of us who spend our lives and make our livelihood on the Internet. It's not going to be easy, but it's our shared responsibility to create a better Internet – together.

  • AppNexus Updates