The strange hack on The Sticky Tongue Project that only surfaced in the embedded browser of Google’s iOS app for Google+ has been happily resolved.
Candace M Hansen, the website’s project developer and manager, contacted her hosting service which in turn identified an outdated version of TimThumb, a popular image resizing script. The Sticky Tongue Project is a self-hosted WordPress site, and many WordPress themes come bundled with TimThumb, but it can be used anywhere.
The TimThumb vulnerability in question was identified by Mark Maunder in August 2011, and further explained in a follow-up post. Briefly, TimThumb had a really terrible way of identifying trusted URLs which hackers could exploit to upload arbitrary server-side scripts. Those scripts could then do things like inject unwanted advertising into the website, which is exactly what happened on The Sticky Tongue Project.
This security hole was widely exploited and TimThumb has since been fixed, but such updates are not automatically propagated to self-hosted websites. There may still be plenty of vulnerable TimThumb installations in the wild. If you’re running a site that might use TimThumb and you were not aware of this issue, you should probably check right now to see if you’re vulnerable – see Mark Maunder’s posts for details.
Candace has since been working overtime to remove both the exploit and the malware that had been installed through it, and her site is once again free of advertising spam. Why that spam only showed up in the iOS app for Google+ remains an open question. As I mentioned in my original post this was not the only instance – I’ve seen similar spam ads elsewhere that appeared only in Tweetbot’s embedded browser.
Certainly, any hack affecting more widely used browsers would be detected and fixed very quickly, so perhaps the hackers were deliberately limiting their target audience in order to fly under the radar. Or perhaps my first guess was correct and embedded iOS browsers just happen to be vulnerable to hacks aimed at old browsers such as IE6. Until a security expert analyzes such spam scripts we won’t know for sure.