OpenX Confirms 'Lights Out' For OnRamp Ad Server

hacker-activityYesterday we reported that OpenX had abruptly shut down its OnRamp ad server after a major malware attack. At the time the company did not say when, or if, the open source ad server would be back online. In an update this morning, OpenX makes clear that OnRamp will never serve another ad.

OpenX attempted to frame its decision in the context of a widespread increase in hacking activity "directed against technology companies of all types." More on that below.

Meanwhile here's the (run-on) money quote:

"After further review of the intrusion, other recent attacks on the service, the effect on our publishers and advertisers, the recent increased frequency of malicious hacking activity directed against technology companies of all types, the possibility of future intrusions through this open source service which could continue to jeopardize OnRamp customers, the virtual impossibility of ensuring the continued security of OnRamp in an environment of increasingly sophisticated and powerful intrusions that exploit open source software, and the resources we would be required to expend to maintain the security of the service, we have decided that we will no longer host and operate the OnRamp service."

The good news: OnRamp users will be granted access to the reporting interface again, beginning today at 5pm PST and lasting until March 22. This will undoubtedly come as a relief to publishers who were left scrambling Sunday and Monday to comb through email archives and Dropbox accounts for ad creatives and insertion orders. Yes, there's been a great deal of anger.

But while the shuttering of OnRamp is clearly a painful surprise for the legions of publishers that have come to rely on it, it's certainly a positive from a browser security standpoint, since by many accounts OpenX has been a growing source of malicious advertising activity.

In its forum post this morning, OpenX describes itself as a long-term supporter of open source and stops well short of accepting culpability. "We are deeply saddened that our OnRamp contribution to the movement must end due to this criminal activity," it says.

But it also acknowledges implicitly that correcting the vulnerability would be possible, given adequate resources. The fact that OpenX has deemed it lacks those resources begs the question of whether open source technology can be stewarded by for-profit businesses -- or if there's a place for open source in advertising at all.

In the case of OpenX, the company's own actions may have created preventable security holes. A recent ITWorld article describes a method by which malware has been easily spread through an “append” attack. Hackers are able to use the plugin for the OpenXMarket exchange product to inject malicious code into ads on websites that use the OnRamp ad server. This plugin is installed by default. Without this monetization lever implemented by OpenX, which ITWorld calls "poorly thought out," it seems clear the risk to OnRamp users and their website visitors would have been considerably less.

On the other hand, OpenX deserves credit for acting on what had clearly become a significant Internet security issue. Publishers still haven't been given details on the specifics of this particular attack. Was it one malvertiser or many? Was the onslaught very much larger than other recent incidents reported over the last several months? These details would be nice to have. But, regardless of the answers, OpenX probably did the right thing.


  1. So does this move leave only one "Free" solution left in the marketplace in DFP SB? I guess ADTECH Lite is an option, but they dont seem to be really promoting that service.

    This should also come as no shock since OpenX has been plagued with tech issues, specifically on the free version. I can give them credit for making a difficult decision to shut this service down, but given that it was free there should little impact on them other than the decreased participation in the marketplace.

  2. The downloadable open-source version of OpenX remains viable as long as you prevent admin access except to, well, the admin.

    I would recommend a forking of this software, much like what we saw with LibreOffice. I wish I could commandeer that effort, but all I can offer is contributing and testing if somebody else does.

  3. ADTECH Lite is very much an alternative. Although we don't hump a load of marketing dollars behind the product, it is based on the same secure infrastructure and code as our core system, ADTECH IQ. It has a limited feature-set and is restricted to <=50m impressions per month.

  4. It seems to me that this article misses a couple of important points. 1. What is being shut down is OpenX's free ad serving product. 2. OpenX is still operating is OpenX Enterprise product. 3. This doesn't reflect on their actual business, it's really just shuttering an entry level free ad server.

    • Eric, I touched on both points in the earlier story, which is linked above. But it bears calling out in this piece too so thanks for weighing in.

  5. The other thing that very few people are talking about is root of the cause. OpenX OnRamp just like the downloadable source code is based off of PHP. PHP has historically been chalk full of security holes and OpenX was plagued with the security issues for years because of this.

    • PHP cannot be blamed for these security holes -- that is scapegoating. Multitudes of modern apps run off PHP with nary a security hole. Of course, PHP like many other platforms doesn't prevent web programmers from writing insecure apps. Poor programming is the only cause here, and the security holes are in the OpenX product.


Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>