UW Computer Security Research and Course Blog

In early September 2008 during the TechCrunch50 Conference, there we many companies that came forward presenting ideas on how to change the advertising business.  One such company, Adgregate Markets, presented an idea they call the ShopAds widget. This widget can be placed on any website like a normal banner ad, but is instead a fully transactional ad that allows visitors to the site the ad is place on to conduct a business transaction (such as buying and item or ordering a service) without leaving the hosting web page.

This is big news both for host sites that may gain revenue from their ads, as well as the companies trying to sell a product. For host sites, it means their pages are sticky; visitors no longer leave the for a 3rd party site when they see a product they like. Instead, they can just purchase it and continue to view the content. For the company selling the product, it means their returns are much greater than previous click-through counting methods as the results they are in the form of actual sales and revenue.

But what does this mean for the online consumer? Of course, it means they can now make purchases through ads without having to go to another site, but it also means they have to be smarter. Adgregate claims in their press release that “Through ShopAds, Adregate Markets enables consumers to securely purchase products entirely within the confines of the ad unit, without being redirected away from the publisher’s site.” However, a problem arises when a ShopAds widget is placed on a web page that uses HTTP instead of HTTPS. Since the page itself is transmitted HTTP, the content of the page is in plaintext. Additionally there is no way to verify that widget came from any particular location. For example, a malicious router launching a man-in-the-middle attack could replace the widget on a page with their own widget that appears to be legitimate. Visitors to the web page may then interact with it assuming it is the company it says it is. Although ShopAds are flash-based, and thus can establish secure connections, this only has meaning if the source of the ad itself can be verified.

Assets and Security Goals:

• Purchase Orders – The purchase made by a visitor/customer must be accurate when it is received by the merchant company.
• Consumer Identities – Identifying information, such as credit card numbers, should not.
• Merchant Identities – It should be possible for a consumer to know for sure that they are buying from a particular merchant.  In other words, it should not be possible for an adversary to pretend to be a Macy’s ad.

Potential Adversaries or Threats

• Eavesdroppers – It could be possible to collect customer information by sniffing packets
• Copy Cats –  By replacing ShopAds widgets with a malicious flash ad, one could pretend to be a company that they are not.
• Modifiers – By modifying the information being exchanged, it may be possible to alter the purchase order itself (such as the quantity of certain items) or change where it is being shipped to.

Potential Weaknesses

• HTTP Pages – Pages using HTTP cannot guarantee the origin of the content displayed on the page, including the ShopAds widget, and would be vulnerable to man-in-the-middle attacks.  Additionally, information is sent over plaintext.
• HTTPS Pages – Even on an HTTPS page, you would have to trust the hosting (publishing) website you were visiting.  HTTPS only verifies that the site is who they say they are. So, visiting https://www.evil.com and conducting a business transaction through one of their evil ads is still dangerous.
• ShopAds Widget – If the widget does not take advantage of  the features in flash to establish secure connections, information may be sent over plaintext.

Potential Defenses

• HTTPS Pages – HTTPS pages can at least guarantee that the page is who they say they are and that the data is not sent over plaintext.  If a customer trusts the hosting/publishing site, and they trust the company who owns the ad, they could trust the transaction.  However, this would require every page with a ShopAds widget to use HTTPS…
• Flash Security – Make sure to take advantage of features to establish secure connections to prevent transaction information from being transmitted in plaintext, even if the widget is properly placed on a trusted HTTP page that has not been maliciously modified.
• Ad/Merchant Verification – Having the potential for a consumer to verify that the ad belongs to a particular consumer would help guarantee online shoppers do not buy from copy-cats.  Ideally, this would be done in the widget as well so as to keep to the nature of this new technology.

The largest problem here is that consumers may have no idea about the threats posed by these types of ads.  Many customers may not even know why HTTPS is important, let alone how it affects the security of shopping through an ad. Furthermore, it is unlikely that every page that will be sporting the ShopAds widgets will start using HTTPS, so shoppers will learn to have trust in these very dangerous situations. Even if the publishing site can be trusted, if the widget is not on an HTTPS page, it cannot be trusted.

If the ShopAds widget is to become the next best thing in advertisement and online shopping, these security concerns will have to be addressed.  In the same way that an online banker would not (hopefully!) enter their bank account number and password on an insecure page, neither should an online shopper provide their credit card or other identifying information.  It will also be necessary for shoppers to be more aware of where and how they are making purchases.  To help out visitors to the site, some of the responsibility may rest with the publishing website to make sure the ads they are providing do not compromise the identities of its visitors.  If this does catch on, it may become necessary in the future for browsers to be able to verify the origin of chunks of content, such as the ShopAds widget, to guarantee the security of its users.