According to a paper by Morgan Marquis at the University of Toronto based The Citizen Lab, spy agencies had been able to use unencrypted YouTube videos and Microsoft Live log-ins to install malwalware on your devices. No need to panic, however, as YouTube and Microsoft have moved on to encrypted connections, so this is not a current vulnerability for these services.
This vulnerability was a network injection, a man-in-the-middle attack. This is where agencies intercept traffic between the server and the consumer, and manipulated to include malware. It is scary because government agencies have the power to force cooperation of network providers and force their silence.
This type of attack is not possible on encrypted connections. However, a large portion of connection are not encrypted. There are sites that use encrypted connections, while also use unencrypted traffic for ad networks or third parties. These are still vulnerable to network connections.
This is a more widespread problem than merely YouTube and Microsoft Live. There are companies that provide spy agencies with the tools to continue to capitalize on these vulnerabilities. This allows an easy access to network injections in less democratic or advanced countries that could use this to target dissenters, etc. You can read the study in full here.
The only way to counter this is to promote encrypted connections. Encouragement like Microsoft’s promise of higher ranking in Bing search results to companies that implement encrypted connections will hopefully push sites to make the change faster.
The unsettling reminder that studies like this give us is that there are many potentially current exploits that we will only find out about in a paper such as this in the future. However, each of these papers do also spurn more action and bring attention to security. Hopefully, we will see a continued decline in security vulnerabilities as companies place increasing attention on security and customers demand it.
