Internet service providers that serve advertising when a user requests a Web page that doesn’t exist are exposing their users to a giant security breach, according to security researcher Dan Kaminsky.
The vulnerability resulting from the practice, which is an increasingly common way for ISPs to make money from users’ typos, was identified last week on Earthlink by Kaminsky, who is director of penetration testing for security firm IOActive.
Kaminsky presented his findings at the Toorcon hacker conference on Saturday.
The problem Kaminsky found was a slightly finer twist on a controversial practice that has been around for a few years already. It’s not new for ISPs to serve ads when a user mistypes a URL and ends up inputting one that doesn’t exist.
In that case, Earthlink, for example, goes to the server at Barefruit, its London-based ad partner, instead. At that point the user is given a list of suggestions for what the desired site might have been, as well as a Yahoo search box and some ads. Earthlink began the practice in 2006, and explains it in a blog post from August of that year.
What is relatively new, however, is for those ad pages to get served when a user requests a nonexistent subdomain of a legitimate Web site, such as “wrongsubdomain.rightdomain.com.”
In that case the Barefruit ads once again appear in the browser, but now the title bar suggests that the page is part of the official domain requested.
Earthlink argues that its general ad-serving process helps users: “By presenting users with contextual help based upon the non-existent domain the user entered, we believe we are improving the EarthLink user experience with a system that will not interfere with other network processes,” it said.
According to Kaminsky, however, the result now is that the subdomain is only as secure as Barefruit’s servers — which he found were not too secure at all. He actually demonstrated that he could insert a YouTube video into the Facebook and PayPal domains, for example.
Of course, that was a demonstration; the real threat is what a malicious hacker could insert instead, such as code to steal user passwords.
Earthlink officials said the problem was fixed soon after Kaminsky brought it to their attention.
“EarthLink is aware of the issue that Mr. Kaminsky has raised,” company spokesperson Chris Marshall told TechNewsWorld. “We quickly researched the issue, resolved it, and we believe it does not currently affect our system.”
Barefruit could not be reached for comment.
Kaminsky, meanwhile, is not so sure the problem is solved, as other ISPs are using similar tactics.
“The problem is not entirely fixed,” Kaminsky told TechNewsWorld. “The known issue has been fixed, but the fact remains that the security of the Web from these ISPs is limited to the security of these ad servers. Any problem a random advertiser has is going to affect you.”
The fundamental issue, Kaminsky added, is that the vulnerability exploits companies’ trusted trademarks. When third-party content is injected into a trusted domain, it compromises that site’s trusted security, he said.
Kaminsky doesn’t think he uncovered anything deliberate at this point. “Maybe I’m an optimist, but I don’t think anyone set out to do this subdomain injection — it’s such a subtle difference to put yourself in where no one is using that domain or particular subdomain,” he explained.
“I think it was an accidental misconfiguration, but its effects were really, really bad,” he said.
In terms of potential consequences, “it’s sort of depressing,” Kaminsky added. “You have your expectations about what people will do, and sometimes it’s a lot worse.”
‘A Legal Issue’
What can be done about the problem?
Not much at the technology level, according to Kaminsky.
“I can come up with a mitigation, but as soon as someone inserts a way to change the bytes as they go by, they can remove the mitigation,” he said.
Rather, it will require a legal solution to get people to stop spoofing subdomains, Kaminsky said.
“They probably think they’re doing it safely, but it’s someone else’s domain, someone else’s property,” he said. “That’s a legal issue.”
Preventing the Next One
Others take a slightly different view.
“We’re all concerned about the structural weakness in the DNS market that has been uncovered,” Paul Vixie, president of the nonprofit Internet Systems Consortium, told TechNewsWorld.
While the problem at Earthlink was fixed, “the next one could be much more damaging,” Vixie said. “The only reason this one wasn’t dangerous is that the discoverer was a good person.”
What’s needed now is a way to make sure there isn’t a similar problem waiting for a “bad guy” to discover, he added.
‘A Long Haul’
“This has to do with the inappropriate monetization” of the Web, Vixie asserted. Providing ads rather than error messages “might be a great way to increase your own topline revenue, but it’s adding a risk to the system,” he said. “We just have to get people to stop doing that.”
Whereas Kaminsky called on the legal system to address the problem, Vixie looks elsewhere for a solution.
“Ultimately, there are not laws that have any effect on this, so if we want people to stop, it will have to be done through Consumers Union, boycotts and things of that nature,” he concluded. “The first thing we’ll see is more measurement, public disclosure and public shaming over things like this, but it’s going to be a long haul.”