Publishers’ plug-in addiction can come back to haunt them

Publishers today have inked a Faustian pact with the third-party vendors that plug into their sites. While working with vendors gives publishers access to perks like analytics and free commenting systems, it also leaves them exposed to a host of security vulnerabilities.

These publishers have to understand that,
just as they’re platforms for news, they’re
also platforms for criminals and cyber
terrorists to spread their messages

Reuters found this out the hard way this week when hackers from the Syrian Electronic Army used its Taboola widget to redirect the site’s article pages to those with pro-Syria messages. The widget, which appears on thousands of  sites, drives both traffic and revenue to publishers by recommending readers related content; this is why it’s a common fixture on the sites of many big-name publishers. (Digiday also uses Taboola to recommend related Digiday content.)

Beneficial or not, Taboola also served as a viable attack vector for the Reuters hackers. Because exposure is the main motivation for the SEA, going after a big site like Reuters, which gets roughly 12 million unique visitors a month, is a no-brainer. The organization’s previous big-ticket targets include BBC News, The Associated Press and The Washington Post. (The SEA previously attacked Reuters’ Twitter account in 2012.)

This story was written by Ricardo Bilton and originally posted on the Digiday website. To read the full article please click here.