Home Online Advertising Security Firm Finds VPAID Spec Manipulated To Deliver Malware

Security Firm Finds VPAID Spec Manipulated To Deliver Malware

SHARE:

Bad actors are exploiting VPAID to serve malicious auto redirects hidden within video ads.

VPAID, which stands for Video Player Ad-Serving Interface, is the old and hoary industry standard for interactive in-stream video ads. First introduced way back in 2012 by the IAB Tech Lab, VPAID created as many problems as it aimed to solve.

Beyond causing latency on the page and not working all that well in apps or within over-the-top environments, VPAID isn’t secure. A loophole within the spec allows unauthorized parties to introduce arbitrary JavaScript and inject malware into a piece of creative.

And that’s just what researchers at Israeli ad security company GeoEdge recently discovered happening within programmatically served VPAID video ads.

VPAID vuln

Although malware within video creative is still relatively uncommon – it represents less than 1% of all of the malicious incidents GeoEdge uncovers – the firm has observed a perceptible uptick in conjunction with the rise in programmatic video ad spend overall.

In the United States alone, eMarketer predicts programmatic video ad spend to hit $29.24 billion this year, or 49.2% of all programmatic digital display ad spending.

“The attackers are getting more sophisticated, and they’re attracted to high CPMs,” said Guy Books, VP of product at GeoEdge.

In this case, redirect code nested within a piece of video ad creative mimics a click that diverts users to a phishing scam page or an app download page – the usual junk. GeoEdge first detected the infected ads being served through video platform Teads, an unwitting conduit of creative that managed to slip through the platform’s quality controls.

What’s happening is similar to the sort of shenanigans one sees in the display space, but sneakier, Books said, because ill-intentioned parties are taking advantage of the iframe rendered by the VPAID ad unit to hide their tracks.

Sandbox iframes are meant to provide a self-contained safe space that allows for secure communication between advertisers and publishers without interference from third-party widgets or scripts.

Here, though, the bad actors are causing the redirects to fire within the iframe, which means detection is a doozy.

“When ads run in a sandbox,” Books said, “it’s hard for the video platform that served the ad – or for anyone – to see what’s happening inside.”

Cat, meet mouse

Ad tech vendors know that VPAID has inherent security flaws. The same “permissive” nature that enables rich media interactivity also makes the spec vulnerable to manipulation, said Jack Stone, a product manager on the programmatic team at Teads.

Teads proactively scans every piece of creative that comes into its platform and blocks anything that appears to contain malware. Creative flagged by its publisher partners is also quickly quarantined.

But there’s a cat-and-mouse nature to ad security that makes newly discovered malicious activity tricky to catch, particularly within the fast-moving complexity of the programmatic supply chain.

“There are so many devices, browsers, publisher pages and conditions – literally thousands of different environments – that it’s difficult to test within them all,” said Loïc Chambard, a senior product manager at Teads.

SIMID … soon

But the industry isn’t standing still. In April, the IAB Tech Lab announced that it’s going to start phasing out VPAID in favor of a new, more secure spec called SIMID (long name: Secure Interactive Media Interface Definition) to support interactive video ads.

Although Dennis Buchheim, EVP and general manager of the IAB Tech Lab, said he and his team aren’t aware of the specific malfeasance found by GeoEdge, one of the reasons the lab decided to work on new standards for video is because of the potential security gaps in VPAID.

In addition to SIMID, the IAB Tech Lab released VAST 4.0 (Video Ad Serving Template) in 2015 to, among other fixes, more clearly identify measurement code as separate from the interactive SIMID code so that publishers can decide whether or not they trust the source, Buchheim said.

Teads fully supports the SIMID initiative and the move away from VPAID, Chambard said.

The challenge now is that wide industry adoption of new standards is often a very slow process,

“We’re pushing for it,” Chambard said. “But, unfortunately, I predict it will take until at least 2021 until there is broad adoption of SIMID and we see it really replace VPAID.”

Must Read

Why Media Mergers And Spin-Offs Don’t Always Keep Their Promises

With media megamergers, acquisitions and spin-offs left and right, the media landscape is changing at a pace that is difficult to keep up with.

TransUnion is partnering with Blockgraph so that advertisers can use its identity data to target, reach and measure TV households across channels.

How This Disaster Relief Nonprofit Tapped First-Party Data To Reach Donors Year-Round

Staying top of mind for potential donors is an ongoing challenge for Direct Relief. Nexxen’s audience curation helped it spread and sustain awareness.

Why Major UK Publishers Are Finally Joining Forces To Curate Ad Inventory

Atria’s collective approach is a response to growing monetization challenges and the need to protect the value of human journalism in the AI era.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Toronto Canada pride parade includes a crowd waving pride flags

Ad Performance And Politics Steered Brand Dollars Away From LGBTQ+ Communities – But The Pendulum Will Swing Back

The current administration has discouraged many marketers and organizations from showing support for the LGBTQ+ community, including during Pride month.

How AI Can Enhance Content Without Generating It

As much as consumers complain about AI-generated content, advertising experts say AI still has an important place in video creation and production, including for ads. But using AI in content without turning off consumers is a tricky dance.

How Tovala Banks On Subscriptions And Incrementality – But Not Ads – To Profit From Its Oven

Smart TVs, refrigerators and other home appliances may pester you with marketing, but at least the hardware is cheap. Another startup taking a different approach to the same theory is Tovala, which was founded in 2015 and combines a standalone countertop oven with a weekly meal kit subscription.