EarthLink redirect service poses security risk, expert says
A vulnerability in servers used by EarthLink
to handle mistyped Web page requests may have allowed attackers to launch undetectable
phishing attacks against any Internet site, according to a noted Internet security
researcher.
The bug, which was patched earlier this week, underscores a fundamental security
risk in the way that some ISPs are attempting to generate advertising revenue
from mistyped Web addresses, said Dan Kaminsky, director of penetration testing
with IOActive, a security consulting firm.
The vulnerability was in a service called Barefruit, which Earthlink has been
using since August 2006 to return Web pages with search terms and advertising
to customers who mistype a domain name in their browser.
Barefruit, which is based in London, operates a service that works with Domain
Name Servers, (DNS) which are used by the browser to translate domain names,
such as yahoo.com, into numerical Internet Protocol addresses. Typically, when
a browser asks a DNS server for a nonexistent Internet address -- adsewrds.yahoo.com
for example -- the DNS server returns an error message indicating that no such
address exists. With Barefruit's servers, the user is told that the address
does exist, and is then sent to a Web page that displays advertising and suggested
search terms.
Because of a bug in the software used to redirect users to these advertising
and search pages, Kaminsky was able to get the pages to run his own JavaScript
code. With the browser treating this code as if it were from a legitimate domain,
Kaminsky was able to steal users' cookies, create fake Web sites that appeared
to be hosted on legitimate domains, and even log into certain Web sites without
authorization.
Generating revenue from domain name typos has generated controversy before.
In 2003, domain name registrar Verisign
was forced to disable a similar system called SiteFinder, which redirected Web
surfers who had typed nonexistent domains.
EarthLink is not the only ISP to be testing this system. Kaminsky said he found
evidence of Barefruit or similar systems being tested on Verizon,
Time Warner, Qwest
and Comcast, which outsources
some of its network to EarthLink.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
