Wix.com Security Flaw Exposed

As the popularity of free drag-and-drop websites become more prevalent, the inherent dangers associated with them becomes more apparent. It was recently discovered the Wix platform, which boasts over 87 million users, was vulnerable to an XSS bug. Using this bug administrator accounts became vulnerable, potentially giving full control of the website to attackers.

In a recent blog posted by Contrast Security, it was exposed that this severe DOM XSS vulnerability is easily introduced to the website. With the addition of a single parameter, a redirection command could be utilized to introduce malicious JavaScript from another host. When the code is triggered, the JavaScript is enabled as part of the website.

It was also found that template demos from the Wix domain were effectively able to be utilized by attackers to steal admin session cookies. Once an attacker has access to this session cookie they are then able to place the DOM XSS in an iframe to contain malicious content. With a successful attack, hackers can use the admin-level controls to do a wide range of malicious activities, including spread malware or utilize the domain as a browser-based botnet.

The issue, identified on October 10, 2016, was seemingly unpatched for over a month. Matt Austin, the security research engineer responsible for finding the XSS exploit, attempted to relay the problem to Wix support but only received generic return messages. At the time of this blog’s release, November 11, 2016, a Wix spokesperson told ZDNet the issue has been addressed.

If you are worried about the vulnerability of your website, please contact your webmaster. If the updates or content management system are installed incorrectly, the site may become unusable! The webmaster should be able to identify any security flaws currently present and update your website security as necessary.