Security Sense: The Security Implication of Ads (and how ad networks have wrecked it for everyone)

Ads are a necessity of free online content these days, but the ad networks have delivered such a poor security experience that it's no wonder consumers are actively trying to get rid of them.

Troy Hunt

September 20, 2015

3 Min Read
Security Sense: The Security Implication of Ads (and how ad networks have wrecked it for everyone)

So it looks like it’s now all come to a bit of a head. Ads, that is, and more specifically the blocking of them and the subsequent retribution being dished out to those using blockers by the sites that are losing their valuable ad impressions. I can’t help but think when looking at how the whole thing has unfolded over the last few years that there’s some blame to be spread all around but frankly, a heap of it has to be dumped on the ad providers themselves and their attitudes to security.

I totally get the need for ads; publishers (such as the one you’re reading this piece on) had long since relied on revenue streams that were increasingly drying up and clearly they needed to adapt. Ad supported material makes a lot of sense in that readers still get their content and publishers still get to pay the people who create it whilst also keeping all the lights on. There’s a symbiotic relationship in there somewhere when each party is getting what they need.

But then you bring in the ad networks who whilst having a valuable role to play, have really dropped the ball on the security front time and time again. For example, we’ve seen many cases of malware being delivered by ad networks not because the networks themselves have been intentionally malicious, but because they haven’t been organised enough to stop scammers using them as a delivery channel for it.

Another example is the plethora of cross site scripting (XSS) risks they’ve inadvertently introduced into otherwise secure websites. Just the other day it was troyhunt.com that fell victim, although fortunately it was discovered via a fellow security pro and not by someone with malicious intent. Here’s a case where the ad provider had fallen victim to one of the oldest security tricks in the book and by them not having their shop in order, their vulnerability was introduced into my website.

The other one I’ve seen my site hit with numerous times before is ad networks redirecting mobile clients to their respective app stores. So here you have someone going to a page on my site then wammo – now they’re being asked to buy Clash of Clans. This is a well-documented security risk known as an unvalidated redirect or forward, in other words the malicious actor (in this case the ad network) is exploiting the inherent trust someone has in a site (such as mine) to then present them with something entirely different when they go to that site.

As much as I want my ad revenue, I can totally understand why consumers are opting for ad blockers. It’s not just security, it’s the full screen ads you now have to click through on certain sites, the plethora of “Try this one old trick…” bait advertising and the performance impact of redirect within iframe within redirect within iframe within… well, you get the idea. And that’s before you even get to the privacy implications of trackers. Compounding the whole debate is the recent trend of sites degrading (or denying) the experience for people with ad blockers in the one corner, then in the other corner you’ve got ad blockers becoming more mainstream than ever with iOS 9 now supporting them.

Here’s an idea for the ad networks: clean up your act. Publishers want the revenue and most consumers are happy to have ads when they don’t degrade their experience in any tangible way. Until this happens, the lousy security and performance impact of ads are going to increasingly drive consumers to ad blockers, publishers to denying their content to “freeloaders” and frankly make the web a worse experience for all of us.

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like