Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:58 AM
Connect Directly

'Provider-in-the-Middle Attacks' Put Major Websites, Users at Risk

Researchers discover that ad servers from over 70 ISPs, such as Earthlink and Comcast, put trademarked sites - and users who visit them - at risk of cross-site scripting, other attacks

9:58 AM

That fat-fingered URL could result in more than just a page error: Major broadband ISPs such Earthlink, Comcast, and Verizon, are running advertising servers that capture such error traffic, but these servers are also are putting major Websites as well as their visitors at risk of cross-site scripting (XSS) and other attacks, according to researchers.

Dan Kaminsky, director of penetration testing for IOActive, at ToorCon in Seattle this weekend demonstrated what he calls a “Provider-in-the Middle Attack” or PITMA, an attack that steals cookies and injects content into legitimate Web pages via an ad server -- in the demo, an Earthlink ad server -- that contained a cross-site scripting flaw. He showed the attack to illustrate how these ad servers, which redirect a user that types in an incorrect URL, can be abused by the bad guys to compromise the Associated Press, Facebook, MySpace, and other Websites.

Kaminsky said in an interview prior to his demo at ToorCon that the ad servers, which are run by the advertisers on behalf of the ISPs, impersonate some trademarked domains via DNS. But ISPs aren’t intentionally putting legitimate sites such at risk, and the problem is more a side effect of this ad server model. "They are trying to monetize the vast number of eyeballs that go through them but don’t stop along the way... I don’t think the [security problem] is intentional. No one set out to make the Web less secure," Kaminsky says.

But that’s just what this arrangement has done, he says. ISPs are working with error-resolution services, such as Barefruit, that help squeeze ad revenue out of URL typos so that when a user mistypes www.facebook.com, for example, his ISP sends him to a URL that’s an available subdomain of Facebook that contains ads for alternative sites to Facebook on the page, for instance. “They say [to the ISP]: 'You deploy this box, and we’ll dynamically register and create these records when a user mistypes something,'” Kaminsky says.

Here’s the rub: If that ad server containing a Facebook subdomain name carries a cross-site scripting or other vulnerability, for example, says Kaminsky, it puts both Facebook and its visitors at risk of these types of attacks. A parent domain typically trusts its subdomain, but in this case, the subdomain is actually run by “a bunch of advertisers,” he says.

“Facebook knows how important security is. But does the ad server [with a Facebook subdomain name] know that?” says Kaminsky, who along with Jason Larsen, senior security consultant for IOActive, went public with their PITM research on Saturday at ToorCon.

An attacker could steal cookies, execute a phishing exploit mimicking Facebook by injecting a fake Facebook site, or compromise a page on the legit site. (HTTPS-based resources are immune, however.)

And this subdomain security risk may not just be an ISP problem, researchers say. Danny McPherson, director of security research for Arbor Networks, says in a new blog post: "I would emphasize (as DMK did subtly note) that, even for the attacks DMK outlined, you do NOT have to be the ISP/packet data path at all to molest Internet users, just in the DNS 'control path'."

Kaminsky says the PITM problem itself was easy to spot and demonstrate, especially because XSS is so prolific. “Cross-site scripting is the new buffer overflow. It’s everyone’s first exploit."

He says he spoke with Earthlink about its vulnerability, which it has since fixed, and then to Barefruit engineers, whom he says were responsive and “on it” when he alerted them to the vulnerabilities, although they are still at risk of future such bugs. He says he decided to go public with the research at this time due to his and Larsen’s concerns about hotly debated language in Network Solutions’ DNS hosting contracts that includes the right to inject its own host into a purchased domain.

Earthlink uses Barefruit’s service, and since Comcast outsources some of its network to Earthlink, it’s also affected by this, Kaminsky says. Verizon is using a similar approach with a provider other than Barefruit, he says, as is Time Warner, and Qwest is trialing Barefruit.

Kaminsky and Larsen, meanwhile, have also sent letters to several major Websites they had discovered were at risk of these attacks. “We believe that the security hole is reasonably straightforward to fix, either by temporarily disabling the advertising server, or by resolving the error condition that allows Cross-Site Scripting,” they wrote. “We are contacting the affected ISP's to address at least the security issue in play. The fundamental trademark violation issue is outside our scope, however, we encourage you to pay close attention to this case, as the fundamental design of these advertising systems requires direct impersonation of your protected marks.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • IOActive
  • Comcast Corp. (Nasdaq: CMCSA, CMCSK)
  • EarthLink Inc. (Nasdaq: ELNK)
  • Verizon Communications Inc. (NYSE: VZ)
  • Arbor Networks Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    7 Old IT Things Every New InfoSec Pro Should Know
    Joan Goodchild, Staff Editor,  4/20/2021
    Cloud-Native Businesses Struggle With Security
    Robert Lemos, Contributing Writer,  5/6/2021
    Defending Against Web Scraping Attacks
    Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-15
    A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
    PUBLISHED: 2021-05-15
    DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
    PUBLISHED: 2021-05-14
    The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
    PUBLISHED: 2021-05-14
    In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
    PUBLISHED: 2021-05-14
    The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.