Home Online Advertising Security Firm Finds VPAID Spec Manipulated To Deliver Malware

Security Firm Finds VPAID Spec Manipulated To Deliver Malware

SHARE:

Bad actors are exploiting VPAID to serve malicious auto redirects hidden within video ads.

VPAID, which stands for Video Player Ad-Serving Interface, is the old and hoary industry standard for interactive in-stream video ads. First introduced way back in 2012 by the IAB Tech Lab, VPAID created as many problems as it aimed to solve.

Beyond causing latency on the page and not working all that well in apps or within over-the-top environments, VPAID isn’t secure. A loophole within the spec allows unauthorized parties to introduce arbitrary JavaScript and inject malware into a piece of creative.

And that’s just what researchers at Israeli ad security company GeoEdge recently discovered happening within programmatically served VPAID video ads.

VPAID vuln

Although malware within video creative is still relatively uncommon – it represents less than 1% of all of the malicious incidents GeoEdge uncovers – the firm has observed a perceptible uptick in conjunction with the rise in programmatic video ad spend overall.

In the United States alone, eMarketer predicts programmatic video ad spend to hit $29.24 billion this year, or 49.2% of all programmatic digital display ad spending.

“The attackers are getting more sophisticated, and they’re attracted to high CPMs,” said Guy Books, VP of product at GeoEdge.

In this case, redirect code nested within a piece of video ad creative mimics a click that diverts users to a phishing scam page or an app download page – the usual junk. GeoEdge first detected the infected ads being served through video platform Teads, an unwitting conduit of creative that managed to slip through the platform’s quality controls.

What’s happening is similar to the sort of shenanigans one sees in the display space, but sneakier, Books said, because ill-intentioned parties are taking advantage of the iframe rendered by the VPAID ad unit to hide their tracks.

Sandbox iframes are meant to provide a self-contained safe space that allows for secure communication between advertisers and publishers without interference from third-party widgets or scripts.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Here, though, the bad actors are causing the redirects to fire within the iframe, which means detection is a doozy.

“When ads run in a sandbox,” Books said, “it’s hard for the video platform that served the ad – or for anyone – to see what’s happening inside.”

Cat, meet mouse

Ad tech vendors know that VPAID has inherent security flaws. The same “permissive” nature that enables rich media interactivity also makes the spec vulnerable to manipulation, said Jack Stone, a product manager on the programmatic team at Teads.

Teads proactively scans every piece of creative that comes into its platform and blocks anything that appears to contain malware. Creative flagged by its publisher partners is also quickly quarantined.

But there’s a cat-and-mouse nature to ad security that makes newly discovered malicious activity tricky to catch, particularly within the fast-moving complexity of the programmatic supply chain.

“There are so many devices, browsers, publisher pages and conditions – literally thousands of different environments – that it’s difficult to test within them all,” said Loïc Chambard, a senior product manager at Teads.

SIMID … soon

But the industry isn’t standing still. In April, the IAB Tech Lab announced that it’s going to start phasing out VPAID in favor of a new, more secure spec called SIMID (long name: Secure Interactive Media Interface Definition) to support interactive video ads.

Although Dennis Buchheim, EVP and general manager of the IAB Tech Lab, said he and his team aren’t aware of the specific malfeasance found by GeoEdge, one of the reasons the lab decided to work on new standards for video is because of the potential security gaps in VPAID.

In addition to SIMID, the IAB Tech Lab released VAST 4.0 (Video Ad Serving Template) in 2015 to, among other fixes, more clearly identify measurement code as separate from the interactive SIMID code so that publishers can decide whether or not they trust the source, Buchheim said.

Teads fully supports the SIMID initiative and the move away from VPAID, Chambard said.

The challenge now is that wide industry adoption of new standards is often a very slow process,

“We’re pushing for it,” Chambard said. “But, unfortunately, I predict it will take until at least 2021 until there is broad adoption of SIMID and we see it really replace VPAID.”

Must Read

play button with many coins isolated on blue background. The concept of monetization of the video. Making money on video content. minimal style. 3d rendering

Exclusive: Connatix And JW Player Merge To Create A One-Stop Shop For Video Monetization

On Wednesday, video monetization platforms Connatix and JW Player announced plans to merge into a new entity called JWP Connatix. The deal was first rumored in July.

HUMAN Raises $50 Million

HUMAN plans to build a deterministic ID from its tracking of more than 20 trillion digital signals per week across 3 billion devices, which will aid attribution for ecommerce.

Buyers Can Now Target High-Attention Inventory In The Trade Desk

By applying Adelaide’s Attention Unit scoring, buyers can target low-, medium- and high-attention inventory via TTD’s self-serve platform.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

How Should Advertisers Navigate A TikTok Ban Or Google Breakup? Just Ask Brian Wieser

The online advertising industry is staring down the barrel of not one but two potential shutdowns that could radically change where brands put their ad dollars in 2025, according to Madison and Wall’s Brian Weiser and Olivia Morley.

Intent IQ Has Patents For Ad Tech’s Most Basic Functions – And It’s Not Afraid To Use Them

An unusual dilemma has programmatic vendors and ad tech platforms worried about a flurry of potential patent infringement suits.

TikTok Video For Open Web Publishers? Outbrain Built It.

Outbrain is trying to shed its chumbox rep by bringing social media-style vertical video to mobile publishers on the open web.