Wix XSS Security Flaw Patched
Online website builder Wix recently revealed a DOM XSS vulnerability which left its entire platform at risk of attack.
The XSS bug could be used by attackers to create a worm with the ability to take over an administrator account. This would give the perpetrator full access to the Wix website.
If you want to know the gory details then head on over to Matt's post at Contrast Security.
The flaw has since been patched and Wix have put in place a bounty program to prevent further security issues of this type.
"We take the security of our customers very seriously. After thorough examination we can state that the issue has been addressed," the company said in an email. "We do operate a formal bug bounty program and are taking steps to widen the community."
However this issue confirms something that I already knew – Wix don't listen to their customers properly.
In this case the researchers contacted Wix with the details of the vulnerability three weeks prior to making it public news without hearing anything back.
It's a modern day plague where a company grows so fast and so quickly that they can't keep up with all their communication channels.
The good news is that they managed to fix the problem quickly.
The bad news is that exploits like this exist and no doubt will again in the future.
Always take steps to make sure you backup your data. It's not good enough to rely on your supplier and hope that you'll never need to use a backup. It's your data, you should back it up.
If the unthinkable did happen and an exploit like this made it into the wild then it could take a whole cloud network down within hours. You'd lose access to your site and data.
Coming on the back of Weebly's belated announcement that its platform was hacked back in February and 43 million account details stolen and the spat between Wix and Wordpress it's not been a good week for online website builder companies.
Both companies values continue to rise though and there is no sign of either star waning. Wix has doubled in value since January although it closed lower today at around $39 off its October 19th high of $46.