3 Exploits in 5 Minutes

iFraming & URL shorteners: a backdoor to data breaches, ransomware and revenue losses.

Disclaimer: There is NOTHING more or less vulnerable about The Washington Post site specifically— we just used it as an example, in order to spoof a popular domain. Any site can be hacked this way, and The Post is used for illustrative purposes only.


Maggie and I had an interesting thought experiment that turned into some real research for DEVCON. We looked at existing Ad tech tools like wysiwyg creative builders and URL shorteners to see if we could find any interesting attacks we could deploy while spoofing a major publisher. The goal is to use readily available tools that are free or inexpensive. In one night we came up with three malicious attacks that allowed us to launch some very convincing exploits on end users, all of which could be done in minutes. We wanted to prove how easy it could be to harvest credentials, steal credit card information and deploy malware on the victim’s machine.

We used two different types of URL shorteners to make a convincing sharable phishing attack. We will not disclose the name of all services involved since we did find real vulnerabilities in these services. DISCLAIMER: Though we did use Bit.ly to shorten a url in the exploits, it was not the URL shortener service that we found to be vulnerable. We hope you enjoy our video!


In the first 8 hours, we observed over 5,000 cases of content loaded in off-site iFrames.

Loading site content in a frame this way has some legitimate use cases. We saw site content loaded by gstatic.com, for instance - Google’s content caching solution.

And sites can be loaded this way for good old-fashioned content stealing - it’s a way to include someone else’s work on a site without sending the user to that site to see it. This kind of copyright infringement is certainly a concern for publishers, but it probably doesn’t expose users to exploits.

About two-thirds of the cases fell in these low to medium risk scenarios.

But over 35% of these cases were loaded by sites or tools that we have identified as suspicious or vulnerable, creating a high risk of the legitimate site content being used for fraudulent purposes.

To help with the problem, last night we released a new “detect iframed content” alert in our platform. The feature allows you to review who is iframing your content and send them a cease and desist letter via the share button. We can also block any that you wish, and have the user redirected to your native site, and out of the iframe (iframe busting).

Ifram candd notice image.png