DBSA:2014-0013
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - CNET: A Significant Security Risk
Keywords: CNET, Compromised, Advertisements, download.com, cnet.com
DBSA ID: 2014-0013
Regarding: CNET: A Significant Security Risk
Writeup: Kradorex Xeron (talk) 01:45, 16 July 2014 (EDT)
Date: 2014 07 16
Last Modified: 20140716005721 by Kradorex Xeron
Who should take note: All Internet users, especially users of download.com and cnet.com.
Classification
Priority: HIGH
Rationale: Continued use of the services could leave information unsecured and, with recent events, leave user information potentially vulnerable to misuse.
Severity: HIGH
Rationale: The service deploys deceptive methodologies along with leaving user information at risk.
Spread of Issue: MULTI-PLATFORM MODERATE
Rationale: Sites like download.com are popular services and are accessed by users utilizing multiple platforms.
Description
CNET is a web services operator that is currently owned and governed by CBS Interactive. It hosts services such as download.com and cnet.com, the latter of which provides reviews of technology products, videos, as well as forums among other services. Over the past several years, it has been observed that CNET has taken an increasing risk to security management and the privacy of its users.
Noteworthy issues include:
- CNET was purchased by CBS Interactive, which is an entertainment company with significant interest in marketing and advertisement, where users may be exposed to having user data lifted for marketing and/or tracking purposes.
- Providing download.com downloads packaged with adware among other malware that would not be provided given an package not provided through the service, users allegedly may opt out but the option hasn't been sufficiently visible.
- Permitting deceptive advertisements to be placed with download-style buttons to lure users to necessary software packages or diverting users to advertisers.
Recently, it has been noted that at minimum the user database containing usernames, passwords and emails was compromised using a vulnerability of the in-house version of a software package called 'Symfony PHP framework' that site deploys. (see reference).
Unregistered users are at minimal risk with the recent compromise.
Mitigation/Solution
It is advised that users avoid downloading software from download.com and seek more direct downloads from software vendors where possible. Further, it is strongly advised users evaluate what information they may have supplied CNET and to act accordingly to ensure other sites and resources may not be abused with compromised information.
Users are advised against continued use of the site. However, provided no registrations are performed and one is utilizing sufficient ad blocking software, possibly with javascript disabled, one may access resources provided by the site for informative purposes only. Though again it is advised against more than casual use of the site.