Wix.com is a cloud-based website provider with a simple drag-and-drop interface which has made it a popular choice for small businesses and private users. Unfortunately, a cross-site scripting (XSS) vulnerability has been discovered in the platform that can lead to compromised admin accounts and a host of other problems.
The Wix vulnerability was first discovered in October by Matt Austin, a senior researcher at Contrast Security. Despite multiple attempts by Austin to report on the vulnerability, Wix has remained unresponsive to the incident. The Wix platform has 87 million registered users; all of which are currently vulnerable to the XSS exploit. The vulnerability allows an attacker to use a simple code redirect to tunnel past login screens and gain control of accounts. Since the Wix platform is fully cloud-based, once an account has been exploited in this manner, the attacker would have complete administrative control over the website.
“Administrator control of a Wix.com site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it,” Austin said.
Worse still, given that the vulnerability is shared among all websites built on the platform, an enterprising hacker could easily create an automated bot to spread malware to the entire network. A similar incident occurred back in 2005 when the “Samy Worm” was spread to over one million MySpace user accounts and became the fastest spreading virus of all time.
Since the XSS vulnerability is inherent in the web platform itself, it cannot be remedied by individuals; users will unfortunately need to wait for an official patch. If you are a user of the Wix platform, we strongly urge you to contact your platforms security department and request a status update. Since the vulnerability has been known for nearly a month without remediation, raising awareness of the issue is the best option to encourage Wix to develop a solution. In the meantime, keep a close eye on your accounts and make sure to report any suspicious activity.