Gone are the days when you needed an advanced degree in computer science to be able to design and manage the website for your business. Cloud-based platforms such as Wix, Squarespace and Shopify allow you to create a website in minutes by dragging and dropping the required components – no coding ability required.
Wix has started rolling out an artificial intelligence (AI) instructor – Wix ADI – to make the process of designing a website even simpler.
The affordability and flexibility of these platforms are said to be their main draw for small and medium sizes businesses, with Wix for example being free, with more advanced plans ranging from £2.55 to £15.57 per month.
During the third quarter of 2017, Wix.com, which is traded publicly, added 5.2 million registered users to reach 114 million, of whom 3.1 million are paid subscribers.
And it’s not just small companies that are using these platforms, with Target, Lyft, Cisco, Wired and Fast Company having recently moved across to Squarespace.
Industry commentator and operating officer at Newfangled magazine Christopher Butler also envisages a bright future: “Five years from now, the majority of websites will be powered by Squarespace or something like it,” he writes.
Similarly, Matt Mullenweg the developer of the WordPress platform, which is still said to power 29% of the internet, also recently caused a stir on social media when he tweeted: “Naked Wordpress (without plugins) is not competitive with Wix, Weebly, Squarespace.”
But how secure are these platforms at a time when hackers have found ways to infiltrate some of the most secure networks of governments, and more recently the NHS, which fell victim to a global ransomware attack last May?
Questions were raised about the security vulnerabilities of cloud-based website design platforms in 2016, when a DOM-based cross-site scripting (XSS) vulnerability discovered on Wix was said to have put 87 million websites and their users at risk.
The XSS bug allowed attackers to create worms capable of taking over administrator accounts. This, in turn, gave them full control over websites. More worrying still, exploiting this vulnerability was almost as simple as designing the website itself, by adding a simple parameter to any site created on Wix.com.
Unlike traditional cross-site scripting exploits, where a payload is dropped onto a page in response to an http(s) request, DOM-based XSS attacks modify the Document Object Model environment in the browser used by client-side script, and malicious code affects the execution of client-side code, according to the Open Web Application Security Project (Owasp).
Suphi Özgür Cankurt, Netsparker
Matt Austin, director of security research at Contrast Security, who found the exploit, said: “Administrator control of a Wix.com site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it.”
Wix swiftly fixed the vulnerability, at the time, and told ZDNet, on 3 November 2016: “We take the security of our customers very seriously. After thorough examination, we can state that the issue has been addressed. We do operate a formal bug bounty programme and are taking steps to widen the community.”
Although experts haven’t discovered a similar vulnerability since, many, such as computer security expert Graham Cluley, admit that their experience with such platforms is limited, meaning it is difficult for them to comment on whether or not the issue still exists and the scale of what happened.
“I’m afraid I don’t have any experience with Wix or Squarespace, or know what mitigation steps they might have taken to avoid other attacks, so I can’t shed any light on this area,” he says.
Could this mean it is possible that some smaller security vulnerabilities lie undetected and are being exploited continuously?
Are security vulnerability scanners the solution?
Similarly to website design, many IT and information security professionals have grown accustomed to the ease of being able to click a button and automate all of their web security testing, by using vulnerability scanners.
One such platform is Netsparker, a vulnerability detection system used by Microsoft, Cisco and Intel, to name but a few. Suphi Özgür Cankurt, regional sales manager at the company, believes website design platforms have some additional vulnerabilities, but this is because small business owners using them don’t regularly run security checks.
“Website design platforms let you do so much now. It means there are more avenues for hackers to exploit and it is important to identify vulnerabilities early,” says Cankurt.
“It is important to note that these vulnerabilities exist across the board, but maybe the issue with platforms such as Wix and Shopify is that the people using them don’t check these things, and aren’t investing in detection software, such as ours.”
However, Kevin Beaver, an IT security consultant at Principle Logic, believes that because there are so many nuances to running web vulnerability scans, only an experienced professional is going to know how to properly run them to yield the best results. So the solution isn’t necessarily investing in vulnerability scanning software, but in the platforms’ hiring of experts capable of assessing and interpreting the issues that could exist.
“You have to know your scanners and what to expect or you won’t get the desired results,” says Beaver. “Granted, many scanner vendors have done an excellent job fine-tuning the interfaces of their tools, but there’s so much more to it.
“When using these scanners, many will just look for high-risk vulnerabilities, then you’re probably overlooking a ton of potential opportunities to uncover additional security flaws,” says Beaver, writing on Computer Weekly's sister site SearchSecurity.com.
All business is risky business
More importantly, it is not just website design platforms that are susceptible to attacks. Guy Podjarny, security researcher at open source security company Snyk, said, in a blog in June 2017, that 50% of all website vulnerabilities reported since 2012 were XSS. And security researchers at Netsparker have already identified DOM-based XSS issues in high-profile internet companies such as Google, Yahoo and Alexa.
Similarly, Denis Sinegubko, founder of Unmask Parasites and a senior malware researcher at Sucuri, believes hackers are more likely to attack larger companies, seeking higher rewards, and also that websites hosted on platforms make vulnerabilities easier to fix.
“Generally, if a platform allows you to insert HTML of third-party scripts and iframes, it can be abused to serve a malicious code. However, we didn’t see serious massive attacks on those sites recently, but we have seen attacks on multinationals and their systems,” says Sinegubko.
“In our experience, the main areas of abuse for small to medium-sized businesses are spam via custom templates and using ad-backed widgets. Otherwise, the hacks are not massive. However, if hackers find a vulnerability in the platform itself, that will allow them to modify any sites hosted there, we’ll definitely see massive attacks," he says.
“On the other hand, such attacks can be quickly mitigated, as most likely they won’t require action from thousands of individual webmasters, but rather just a coordinated effort from the platform staff.”
Ultimately, the consensus seems to be that security should take priority over customisability, and more should be done to educate SME owners of the exploits hackers can take advantage of.
Switching to a cloud-based website design platform doesn’t necessarily mean your business is more prone to security exploits, but if users, platform owners, vulnerability assessment specialists and experts ignore the risks that exist in a cyber warfare-infested world, the consequences could be catastrophic.
Read more about website vulnerabilities
- Expert Michael Cobb details the five most common web application vulnerabilities and provides methods to secure them.
- Web applications are often developed quickly with little thought to security. Expert Richard Brain explains how to detect common web app flaws.
- Certain web security vulnerabilities evade detection due to oversight or carelessness. Expert Kevin Beaver discusses the most overlooked issues and how to address them.