If the biggest online technology companies like Microsoft, Google and Yahoo have all themselves acknowledged or apologized in the past for serving malware to consumers via their own advertising code, what about the hundreds of other companies with far fewer resources that are right now executing bits of code and scripts on the thousands of websites you visit?
Reuters' site was compromised by the Syrian Electronic Army to post a political message. They did so by hacking the software of an ad-network, Taboola. They also claimed to have gained access to Taboola's Paypal account and to prove it posted a screenshot of a $600k+ balance.
According to the article, Taboola works with sites:
"including Time.com, USA Today, the New York Times, BBC, TMZ, The Hollywood Reporter, Politico.com, Examiner and others. Taboola acknowledged being the source of the compromise and said that SEA hacked one of its widgets used on Reuters.com."
A website's security is only as good as the security of the slackest, laziest, or worst-funded ad network, social network or analytics startup whose javascript the site may have placed on their page(s) or in their site templates.
Bits of javascript are often added to a site by the company's IT department with or without understanding the business relationship (and when it may end), or by other employees or contractors who get access to expedite the launch of some marketing campaign. The person who did it may not even be someone who still works for the company: as is not uncommon, it could be someone who no longer works at some advertising agency the company no longer retains who placed it on behalf of an ad-network using an ad-tech vendor. And so on.
When I used to run an adtech vendor we could see ad tracking, retargeting or analytics pixels sitting on website pages for years after all business relationships between the vendor and the advertiser had ceased. Unless something breaks the page and causes it to stop loading, the hassle-factor and inertia outweigh good security policy, stop it from being changed or removed, and little bits of seemingly benign code persist over time on tens of thousands of websites.
Website publishers give up a lot of control when they put javascript from third parties on their web pages. Sometimes they are knowingly making a trade - for example getting some free analytics about who is visiting their website in exchange for some anonymous data tracking. But the purpose and workings of the code they placed on their site can change on an ongoing basis. Through the millions of sites that have "Like" buttons on them, Facebook is reportedly now using your web history for its own ad targeting benefit. Quantcast turned free analytics they gave to millions of sites into a $100 million gross ad spend business. The majority of the top 1,000 online retailers have like buttons on their websites - even if not logged in, every time someone visits the site, Facebook gets a free ping that a specific web browser has hit that page and MIGHT be interested in its product or category. Consumer and publisher privacy alike is thus subject to a change of business model and the modification (of probably unread anyway) terms of use.
Who is the Weakest Link?
Reuters may have opened itself up to vulnerability by having over 40 advertising and analytics vendors whose code was tracked as coming from its pages.
These technologies may also slow down the website. On a recent visit to Reuters.com, even after the compromise had happened and Taboola's code disabled (6/23/2014) my visit started at 12:41:39 PM, it loaded over 100 different http requests, and the page took about 34 seconds to finish loading. As we have all probably experienced, any one of these could potentially "hang" the page leaving us frustrated with a partially-blank screen. Some of these bits of code are from data companies like Bizo or Exelate, that resell access to behavioral data they gather to advertisers that may change what ads you see on other sites. Many of them pay the publisher (like Reuters) a monthly fixed or variable fee (or sometimes a revenue share) based on the volume of users their code is able to "see". Reuters may not have direct relationships with all of these companies since many ad or data companies often "piggyback" in turn yet more code or scripts to help their advertisers or agencies identify users, or track impressions or clicks on their advertisements.
Typically ad-supported websites like newspapers trying to eke out a profitable digital existence have more than their share of these vendor scripts running on their sites, which when combined with large numbers of people visiting their sites on daily basis, only serves to magnify the attractiveness of their known or unknown script-slinging ad tech partners as targets.
Publishers can't shift all responsibility to networks and tech vendors, however. In 2009, the New York Times succumbed to malicious ads, not from a third-party network, after the ads (and an unknown 'ad serving technology vendor') was "approved by the site's advertising operations team".
As consumers we need to ask the companies whose sites we are visiting who they are working with, and be really clear what steps they are taking to prevent themselves being the weakest security link in what is an already weak website technology chain.