07:30 AM
Tim Wilson
Tim Wilson
Quick Hits

Content Widget Maker Taboola Is Hacked On Reuters

Syrian Electronic Army targets widget used by many publishers to surface content that the reader might like.

Taboola, a widget used by many electronic publishers to help readers find additional content, was hacked by the Syrian Electronic Army (SEA) yesterday.

"Today [Monday], between 7AM - 8AM EDT, an organization called the Syrian Electronic Army hacked Taboola’s widget on Reuters.com," said Taboola founder and CEO Adam Singolda in a blog. "The intruder was redirecting users that accessed article pages on reuters.com to a different landing page."

Taboola is also used by other popular websites, including Time, The Weather Channel, BBC, and USA Today, but the Reuters hack is the only one mentioned in the blog.

Taboola did not immediately address the SEA's claims that it had also hacked Taboola's Paypal account. The SEA posted a copy of what appears be the Paypal page of Taboola on its website.

"The breach was detected at approximately 7:25am, and fully-removed at 8am," said Singola. "There is no further suspicious activity across our network since, and the total duration of the event was 60 minutes.

"While we use 2-step authentication, our initial investigation shows the attack was enabled through a phishing mechanism. We immediately changed all access passwords, and will continue to investigate this over the next 24 hours."

"Websites need to think long and hard not only about the security of their own servers, but whether the companies who are providing widgets and plugins that power the websites are taking security as seriously themselves," said security expert Graham Cluley in a blog about the incident. "After all, at the end of the day, the typical user is going to view the incident as Reuters being hacked – not Taboola." 

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/25/2014 | 2:09:55 AM
50% Social
A solid reminder that a righteous hack is often 50% or better composed of a social element.  Some laugh these days at the idea of phishing getting the better of everyday users, let alone IT staff, but the social hack still rules and is often at the root of a technical hacking triumph.

Think before you answer that email, that caller or that person standing in front of you.  And for crying out loud, please use better passwords!  Stop reusing your passwords and tokens; use a random password and token generator, keep all accounts separate and recycle passwords regularly.  Inevitably, by making your job easier, you're also making the cyber criminals' jobs more easy, too.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.