Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Digibase Security Advisory - CNET: A Significant Security Risk
Keywords: CNET, Compromised, Advertisements, download.com, cnet.com
DBSA ID: 2014-0013
Regarding: CNET: A Significant Security Risk
Date: 2014 07 16
Last Modified: 20140716011804 by Kradorex Xeron
Who should take note: All Internet users, especially users of download.com and cnet.com.
Rationale: Continued use of the services could leave information unsecured and, with recent events, leave user information potentially vulnerable to misuse.
Rationale: The service deploys deceptive methodologies along with leaving user information at risk.
Spread of Issue: MULTI-PLATFORM MODERATE
Rationale: Sites like download.com are popular services and are accessed by users utilizing multiple platforms.
CNET is a web services operator that is currently owned and governed by CBS Interactive. It hosts services such as download.com and cnet.com, the latter of which provides reviews of technology products, videos, as well as forums among other services. Over the past several years, it has been observed that CNET has taken an increasing risk to security management and the privacy of its users.
Noteworthy issues include:
- CNET was purchased by CBS Interactive, which is an entertainment company with significant interest in marketing and advertisement, where users may be exposed to having user data lifted for marketing and/or tracking purposes.
- Providing download.com downloads packaged with adware among other malware that would not be provided given an package not provided through the service, users allegedly may opt out but the option hasn't been sufficiently visible.
- Permitting deceptive advertisements to be placed with download-style buttons to lure users to unnecessary software packages or diverting users to advertisers.
Recently, it has been noted that at minimum the user database containing usernames, passwords and emails was compromised using a vulnerability of the in-house version of a software package called 'Symfony PHP framework' that site deploys. (see reference).
Unregistered users are at minimal risk with the recent compromise.
It is advised that users avoid downloading software from download.com and seek more direct downloads from software vendors where possible. Further, it is strongly advised users evaluate what information they may have supplied CNET and to act accordingly to ensure other sites and resources may not be abused with compromised information.