• flatbield@beehaw.org
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    There are plenty of ways. They probably just do not want to do it. Easiest might be only certain allowed formats and all the content must be on the ad networks servers. They could allow more options for vetted business partners.

    • NaibofTabr@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Easiest might be only certain allowed formats

      The problem with this is that I can label a file any format I want, because ultimately the file is just a string of binary. A lot of file formats use embedded headers to make them identifiable regardless of label or metadata, but it’s completely possible to fake those. I could even give you an image file that is malware, which would be difficult to identify until it actually did something malicious.

      I think to be sure, you’d have to basically detonate every ad file in a sandbox environment to see if it tried do anything unexpected, which would be… less than simple. You’d have to check it across every major browser and OS, because it might only operate on specific systems.