9:58 AM

That fat-fingered URL could result in more than just a page error: Major broadband ISPs such Earthlink, Comcast, and Verizon, are running advertising servers that capture such error traffic, but these servers are also are putting major Websites as well as their visitors at risk of cross-site scripting (XSS) and other attacks, according to researchers.

Dan Kaminsky, director of penetration testing for IOActive, at ToorCon in Seattle this weekend demonstrated what he calls a “Provider-in-the Middle Attack” or PITMA, an attack that steals cookies and injects content into legitimate Web pages via an ad server -- in the demo, an Earthlink ad server -- that contained a cross-site scripting flaw. He showed the attack to illustrate how these ad servers, which redirect a user that types in an incorrect URL, can be abused by the bad guys to compromise the Associated Press, Facebook, MySpace, and other Websites.

Kaminsky said in an interview prior to his demo at ToorCon that the ad servers, which are run by the advertisers on behalf of the ISPs, impersonate some trademarked domains via DNS. But ISPs aren’t intentionally putting legitimate sites such at risk, and the problem is more a side effect of this ad server model. "They are trying to monetize the vast number of eyeballs that go through them but don’t stop along the way... I don’t think the [security problem] is intentional. No one set out to make the Web less secure," Kaminsky says.

But that’s just what this arrangement has done, he says. ISPs are working with error-resolution services, such as Barefruit, that help squeeze ad revenue out of URL typos so that when a user mistypes www.facebook.com, for example, his ISP sends him to a URL that’s an available subdomain of Facebook that contains ads for alternative sites to Facebook on the page, for instance. “They say [to the ISP]: 'You deploy this box, and we’ll dynamically register and create these records when a user mistypes something,'” Kaminsky says.

Here’s the rub: If that ad server containing a Facebook subdomain name carries a cross-site scripting or other vulnerability, for example, says Kaminsky, it puts both Facebook and its visitors at risk of these types of attacks. A parent domain typically trusts its subdomain, but in this case, the subdomain is actually run by “a bunch of advertisers,” he says.

“Facebook knows how important security is. But does the ad server [with a Facebook subdomain name] know that?” says Kaminsky, who along with Jason Larsen, senior security consultant for IOActive, went public with their PITM research on Saturday at ToorCon.

An attacker could steal cookies, execute a phishing exploit mimicking Facebook by injecting a fake Facebook site, or compromise a page on the legit site. (HTTPS-based resources are immune, however.)

And this subdomain security risk may not just be an ISP problem, researchers say. Danny McPherson, director of security research for Arbor Networks, says in a new blog post: "I would emphasize (as DMK did subtly note) that, even for the attacks DMK outlined, you do NOT have to be the ISP/packet data path at all to molest Internet users, just in the DNS 'control path'."

Kaminsky says the PITM problem itself was easy to spot and demonstrate, especially because XSS is so prolific. “Cross-site scripting is the new buffer overflow. It’s everyone’s first exploit."

He says he spoke with Earthlink about its vulnerability, which it has since fixed, and then to Barefruit engineers, whom he says were responsive and “on it” when he alerted them to the vulnerabilities, although they are still at risk of future such bugs. He says he decided to go public with the research at this time due to his and Larsen’s concerns about hotly debated language in Network Solutions’ DNS hosting contracts that includes the right to inject its own host into a purchased domain.

Earthlink uses Barefruit’s service, and since Comcast outsources some of its network to Earthlink, it’s also affected by this, Kaminsky says. Verizon is using a similar approach with a provider other than Barefruit, he says, as is Time Warner, and Qwest is trialing Barefruit.

Kaminsky and Larsen, meanwhile, have also sent letters to several major Websites they had discovered were at risk of these attacks. “We believe that the security hole is reasonably straightforward to fix, either by temporarily disabling the advertising server, or by resolving the error condition that allows Cross-Site Scripting,” they wrote. “We are contacting the affected ISP's to address at least the security issue in play. The fundamental trademark violation issue is outside our scope, however, we encourage you to pay close attention to this case, as the fundamental design of these advertising systems requires direct impersonation of your protected marks.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.