Are Widgets Wicked?

Widgets are widely uses across the Web as a means to deliver both content and advertising. They could also be used by attackers to deliver malware.

That’s the message that Neil Daswani CTO and co-founder security firm Dasient delivered at the Black Hat DC security conference this week. Daswani warns that website owners need to be aware of the risks that widgets can potentially represent.

“Ad widgets when compromised, can be used to spread mass malware infections across the most highly trafficked websites on the Internet,” Daswani told

Daswani is no stranger to the topic of widget-based malware. At the Black Hat USA conference in the summer of 2010, Daswani warned of the risks stemming from the usage of third-party JavaScript. His company Dasient, also is in the business of protecting against such risks with its Web Anti-Malware service.

According to Daswani, widget based malware has been evolving in recent months.

“What has changed is that we are seeing more and more examples and evidence of cybercriminals compromising widgets and using them as a vehicle for malware distribution,” Daswani said. “The problem is getting worse.”

Daswani noted that the widgets that are most likely to be targeted include: audience measurement widgets from Google Analytics, Quantcast, and ScorecardResearch; advertising widgets from Google/DoubleClick; and widgets that use 3rd-party APIs from Facebook and Google. That said, Daswani noted that in his view, 100 percent of widgets are at risk for being infected with malware.

“The more websites that use a widget, the more attractive that widget becomes to attackers as a conduit to spread Web-based malware,” Daswani said. “Some widgets, such as audience measurement widgets, can become infected via server compromises or DNS cache poisoning, while others, such as ad widgets, can become infected via malvertising.”

Daswani points out that popular sites, including the top 1000 websites ranked by the Quantcast Web analytics service, are of particular concern. He noted that those websites often use third-party widgets that are hosted on external servers, for some of the functionality of their sites.

“If any of these third-party servers are either compromised or even just host a few malicious resources, the widgets can be used as an intermediary channel to deliver malware to users viewing the pages,” Daswani said. “In my Black Hat talk, I present detailed case studies in which audience measurement and advertising widgets have been compromised and actively used to spread malware.”

In terms of mitigation, there are a number of things that site owners can do. Daswani suggests that site owners can employ Web malware and anti-malvertising monitoring to ensure that their online presence does not get used as a delivery channel for malware due to attacks against widgets.

“End-users can protect themselves by making sure they use a good browser with solid anti-malware protections, such as Google’s Chrome,” Daswani said. “But some would argue that the key responsibility rests with site owners and widget providers to ensure their visitors are protected.”

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Related articles