Response to report about outdated Revive Adserver installations being compromised
A report about compromised Revive Adserver installations does not emphasize enough that these installations ran outdated versions of the software.
We put a lot of effort into security updates. As part of that, we are about to introduce rewards for security researchers who report newly found vulnerabilities responsibly on HackerOne.
We urge users to always update to the most recent version available.
In more detail
A few weeks ago, a company called Confiant posted a blog about some cases where they discovered Revive Adserver installations being compromised. Whoever was responsible for this then proceeded to insert malicious codes into existing ads. The malicious codes would redirect site visitors exposed to these compromised ads to sites that would then attempt to infect the visitor’s computer or perform other malicious actions.
In their blog post, Confiant points to our Github project and – unfortunately – misspells our project name consistently. They describe the Revive Adserver project as “a huge PHP project that has been around for well over a decade.”. They also link to our webpage with past Security Advisories and our HackerOne program page.
Next, Confiant is correct in stating (direct quote from their blog):
This not to say that the Revive team doesn’t handle security issues well, but more to illustrate that this is a large project that has been around for many years and that there are many ad serving infrastructures out there that are based on dated versions of Revive.
And that last part is where the crux in this matter lies: even though our project frequently releases updates of the Revive Adserver software, which anyone can download free of charge and install in a matter of minutes, there are still many individuals and organizations who continue to run outdated versions. This is – of course – not limited to just our software. Keeping the software being used for an online operation up to date is crucial, but that doesn’t mean that everyone puts in the effort all the time.
As can be seen from our Security Advisories page and from our release history, we put a lot of effort into investigating any reported vulnerabilities, and into releasing security fixes for these as soon as is humanly possible. However, we can’t force the users of our software to update. Fortunately, many users do so anyway. At the time of this writing, almost 1,600 known installations of our software run the recent v5.0 x software. And more than 600 of those have been updated to the most recently published version v5.0.5, just a few weeks after it was released. For good measure: both v5.0.5 and v5.0.4 contain some security fixes, and these were all for very minor issues that are completely unrelated to the larger problem that Confiant refers to. And Confiant even adds: “For context, Tag Barnakle have compromised ~60 ad servers in total.”. So, in the context of literally thousands of known installations, the number of compromised installations is relatively small. Of course, even just one compromised installation is one too many.
Contrary to what Confiant writes, this is not a new problem. The practice of attacking and compromising outdated installations of ad server software has been around for as long as ad servers have been in existence. That’s because an ad server is a very attractive environment for criminals, since it enables them to very easily reach a large audience. In that sense, creators of malware are not that different from regular advertisers. Confiant does not give any detail about how the compromised installations were attacked. We assume however, that these attackers simply use the well published attack vectors to get into outdated installations.
People and organizations running outdated versions with known security vulnerabilities are in fact responsible for the issues they face. We do our very best to inform our users as soon as a new version is available. We have a free mailing list to inform subscribers about new releases. The software displays a message inside the user interface, informing system administrators about new releases. We post updates on our blog, on the community forums, on Twitter and on Facebook. But then the users themselves will have to take action and spend a little time to actually perform an update.
We continue to take the security of our software extremely seriously. And we’re literally putting our money where our mouth is. Later this year, we will enhance our existing HackerOne program, offering rewards to security researchers who report new vulnerabilities to us, obviously, in a responsible manner. We will investigate any report we receive and we will release security updates if and when necessary.
Meanwhile, we urge our users to always update their installations to the most recent version of the Revive Adserver software. It was, is, and continues to be a free download, so there’s no reason to delay updating for financial reasons.
Don’t want to update yourself?
Alternatively, if you don’t want to spend any time on keeping the software up to date, we also have a Hosted edition that you can subscribe to. This is a Software-as-a-Service offering that uses the exact same software, and that will always be kept up to date with the most recent version. All you have to do is subscribe, log in and use it.