With March Madness in full swing and the Sweet Sixteen kicking off, there’s some bad news for basketball fans: most of the Top 10 US sport sites have been found to have vulnerabilities, and are serving active code from risky background sites.
Menlo Security examined them to see whether they were running vulnerable versions of web-software code, leaving sports fans susceptible to phishing attacks and malware. All 10 sites were running vulnerable versions of web-software code at the time of testing; and Microsoft-IIS/8.5 was the most prominent vulnerable version reported with known software vulnerabilities.
Also, 60% (6 websites) of the top sites were found to be serving active code from background sites flagged for phishing and other frauds.
What's not obvious to an end user is that a visit to a website almost always also results in the browser loading active content from many other sources. This is to facilitate tracking from CDNs and ad-networks, mostly.
But the problem is that the website owner has little to no control over the security posture of these background sites.
