Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Keywords: CNET, Compromised, Advertisements, download.com, cnet.com
DBSA ID: 2014-0013
Regarding: CNET: A Significant Security Risk
Date: 2014 07 16
Last Modified: 20140716021804 by Kradorex Xeron
Who should take note: All Internet users, especially users of download.com and cnet.com.
Rationale: Continued use of the services could leave information unsecured and, with recent events, leave user information potentially vulnerable to misuse.
Rationale: The service deploys deceptive methodologies along with leaving user information at risk.
Spread of Issue: MULTI-PLATFORM MODERATE
Rationale: Sites like download.com are popular services and are accessed by users utilizing multiple platforms.
CNET is a web services operator that is currently owned and governed by CBS Interactive. It hosts services such as download.com and cnet.com, the latter of which provides reviews of technology products, videos, as well as forums among other services. Over the past several years, it has been observed that CNET has taken an increasing risk to security management and the privacy of its users.
Noteworthy issues include:
Recently, it has been noted that at minimum the user database containing usernames, passwords and emails was compromised using a vulnerability of the in-house version of a software package called 'Symfony PHP framework' that site deploys. (see reference).
Unregistered users are at minimal risk with the recent compromise.
It is advised that users avoid downloading software from download.com and seek more direct downloads from software vendors where possible. Further, it is strongly advised users evaluate what information they may have supplied CNET and to act accordingly to ensure other sites and resources may not be abused with compromised information.