What's new in Ceros

The latest and greatest in the world of Ceros

security
August 02, 2019

XSS Vulnerability: Ceros Scroll Proxy

Summary

Ceros has released a security update to resolve one cross-site scripting (XSS) vulnerability affecting proprietary code referred to as the Ceros “Scroll Proxy,” which affected both exported content and content that utilizes a self-hosted version of the Scroll Proxy (scroll-proxy.js).

XSS attacks allow an attacker to run malicious javascript on another user’s browser. The malicious script could capture cookies or session tokens, or rewrite the content of the page. A vulnerability refers to the possibility of exposure to an XSS attack. Read more about XSS here.

Analysis

Ceros confirmed a Proof-of-concept (PoC) code that demonstrates a theoretical exploit of this vulnerability (PoC available upon request).

Ceros is not aware of any successful exploitation happening in the wild or of any breach of internal or customer data.

Exploitation of this vulnerability would require that a malicious iFrame hosted on the same page as a Ceros iFrame is specifically targeting Ceros content to perform an XSS attack on the parent page. While this is an unlikely scenario, it would have been theoretically possible prior to this patch release.

Solution

At 4 PM EDT on August 2, 2019, Ceros released a patched build to its production environment to remediate the vulnerability and took additional steps to revise how embedded experiences speak to the scroll proxy. This response was immediate and the Ceros team was able to remediate this vulnerability within 24 hours of discovery.

If you are using a standard Ceros embed code, you don’t need to do anything.

However, if you are self-hosting the Scroll Proxy, you will need to re-export to upgrade to the patched version to remediate this vulnerability.

Safeguards

Ceros is performing a full root cause analysis and a formal review of security testing procedures to avoid this type of vulnerability in the future.

If you discover a vulnerability in any Ceros product, please let us know at security@ceros.com.

Should you have any questions or need help remediating this vulnerability, please email support@ceros.com.

security
August 01, 2019

XSS Vulnerability: Exported Experiences

Summary

Ceros has released a security update to resolve one cross-site scripting (XSS) vulnerability affecting Internet Explorer browsers and exported, self-hosted Ceros Experiences.

XSS attacks allow an attacker to run malicious javascript on another user’s browser. The malicious script could capture cookies or session tokens, or rewrite the content of the page. A vulnerability refers to the possibility of exposure to an XSS attack. Read more about XSS here.

Analysis

Ceros confirmed a Proof-of-concept (PoC) code that demonstrates a theoretical exploit of this vulnerability (PoC available upon request).

Ceros is not aware of any successful exploitation happening in the wild or of any breach of internal or customer data.

Solution

At 10 PM EDT on July 31, 2019, Ceros released a patched build to its production environment to remediate the vulnerability for any newly exported experiences. This response was immediate and the Ceros team was able to remediate this vulnerability within 24 hours of discovery.

Because exported Ceros content is no longer managed by Ceros, we are unable to retroactively apply this fix to experiences exported prior to 4 PM EDT on August 2nd, 2019.

In order to completely resolve your vulnerability, you must re-export and replace all Ceros Experiences that are hosted outside of Ceros, as well as any CDE files that you are self-hosting. Please consult our guide to exporting experiences.

If you have a large quantity of experiences to export, we have developed a script that can patch all exported experiences. This script can only be run by a developer or a system administrator. If you have such a person, please reach out to support@ceros.com for more information.

Safeguards

Ceros is performing a full root cause analysis and a formal review of security testing procedures to avoid this type of vulnerability in the future.

If you discover a vulnerability in any Ceros product, please let us know at security@ceros.com.

Should you have any questions or need help remediating this vulnerability, please email support@ceros.com.

Release
July 27, 2019

Google Tag Manager User Toggle

We now allow users to toggle the initialization of Google Tag Manager on an embedded page view. In the case that the parent page is already configured with Google Tag Manager/Google Analytics, you may disable this feature to prevent double reporting of page views.