Security Firm Finds VPAID Spec Manipulated To Deliver Malware

Bad actors are exploiting VPAID to serve malicious auto redirects hidden within video ads.

VPAID, which stands for Video Player Ad-Serving Interface, is the old and hoary industry standard for interactive in-stream video ads. First introduced way back in 2012 by the IAB Tech Lab, VPAID created as many problems as it aimed to solve.

Beyond causing latency on the page and not working all that well in apps or within over-the-top environments, VPAID isn’t secure. A loophole within the spec allows unauthorized parties to introduce arbitrary JavaScript and inject malware into a piece of creative.

And that’s just what researchers at Israeli ad security company GeoEdge recently discovered happening within programmatically served VPAID video ads.

VPAID vuln

Although malware within video creative is still relatively uncommon – it represents less than 1% of all of the malicious incidents GeoEdge uncovers – the firm has observed a perceptible uptick in conjunction with the rise in programmatic video ad spend overall.

In the United States alone, eMarketer predicts programmatic video ad spend to hit $29.24 billion this year, or 49.2% of all programmatic digital display ad spending.

“The attackers are getting more sophisticated, and they’re attracted to high CPMs,” said Guy Books, VP of product at GeoEdge.

In this case, redirect code nested within a piece of video ad creative mimics a click that diverts users to a phishing scam page or an app download page – the usual junk. GeoEdge first detected the infected ads being served through video platform Teads, an unwitting conduit of creative that managed to slip through the platform’s quality controls.

What’s happening is similar to the sort of shenanigans one sees in the display space, but sneakier, Books said, because ill-intentioned parties are taking advantage of the iframe rendered by the VPAID ad unit to hide their tracks.

Sandbox iframes are meant to provide a self-contained safe space that allows for secure communication between advertisers and publishers without interference from third-party widgets or scripts.

Here, though, the bad actors are causing the redirects to fire within the iframe, which means detection is a doozy.

“When ads run in a sandbox,” Books said, “it’s hard for the video platform that served the ad – or for anyone – to see what’s happening inside.”

Cat, meet mouse

Ad tech vendors know that VPAID has inherent security flaws. The same “permissive” nature that enables rich media interactivity also makes the spec vulnerable to manipulation, said Jack Stone, a product manager on the programmatic team at Teads.

Teads proactively scans every piece of creative that comes into its platform and blocks anything that appears to contain malware. Creative flagged by its publisher partners is also quickly quarantined.

But there’s a cat-and-mouse nature to ad security that makes newly discovered malicious activity tricky to catch, particularly within the fast-moving complexity of the programmatic supply chain.

“There are so many devices, browsers, publisher pages and conditions – literally thousands of different environments – that it’s difficult to test within them all,” said Loïc Chambard, a senior product manager at Teads.

SIMID … soon

But the industry isn’t standing still. In April, the IAB Tech Lab announced that it’s going to start phasing out VPAID in favor of a new, more secure spec called SIMID (long name: Secure Interactive Media Interface Definition) to support interactive video ads.

Although Dennis Buchheim, EVP and general manager of the IAB Tech Lab, said he and his team aren’t aware of the specific malfeasance found by GeoEdge, one of the reasons the lab decided to work on new standards for video is because of the potential security gaps in VPAID.

In addition to SIMID, the IAB Tech Lab released VAST 4.0 (Video Ad Serving Template) in 2015 to, among other fixes, more clearly identify measurement code as separate from the interactive SIMID code so that publishers can decide whether or not they trust the source, Buchheim said.

Teads fully supports the SIMID initiative and the move away from VPAID, Chambard said.

The challenge now is that wide industry adoption of new standards is often a very slow process,

“We’re pushing for it,” Chambard said. “But, unfortunately, I predict it will take until at least 2021 until there is broad adoption of SIMID and we see it really replace VPAID.”

 

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>