Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:58 AM
Connect Directly

'Provider-in-the-Middle Attacks' Put Major Websites, Users at Risk

Researchers discover that ad servers from over 70 ISPs, such as Earthlink and Comcast, put trademarked sites - and users who visit them - at risk of cross-site scripting, other attacks

9:58 AM

That fat-fingered URL could result in more than just a page error: Major broadband ISPs such Earthlink, Comcast, and Verizon, are running advertising servers that capture such error traffic, but these servers are also are putting major Websites as well as their visitors at risk of cross-site scripting (XSS) and other attacks, according to researchers.

Dan Kaminsky, director of penetration testing for IOActive, at ToorCon in Seattle this weekend demonstrated what he calls a “Provider-in-the Middle Attack” or PITMA, an attack that steals cookies and injects content into legitimate Web pages via an ad server -- in the demo, an Earthlink ad server -- that contained a cross-site scripting flaw. He showed the attack to illustrate how these ad servers, which redirect a user that types in an incorrect URL, can be abused by the bad guys to compromise the Associated Press, Facebook, MySpace, and other Websites.

Kaminsky said in an interview prior to his demo at ToorCon that the ad servers, which are run by the advertisers on behalf of the ISPs, impersonate some trademarked domains via DNS. But ISPs aren’t intentionally putting legitimate sites such at risk, and the problem is more a side effect of this ad server model. "They are trying to monetize the vast number of eyeballs that go through them but don’t stop along the way... I don’t think the [security problem] is intentional. No one set out to make the Web less secure," Kaminsky says.

But that’s just what this arrangement has done, he says. ISPs are working with error-resolution services, such as Barefruit, that help squeeze ad revenue out of URL typos so that when a user mistypes www.facebook.com, for example, his ISP sends him to a URL that’s an available subdomain of Facebook that contains ads for alternative sites to Facebook on the page, for instance. “They say [to the ISP]: 'You deploy this box, and we’ll dynamically register and create these records when a user mistypes something,'” Kaminsky says.

Here’s the rub: If that ad server containing a Facebook subdomain name carries a cross-site scripting or other vulnerability, for example, says Kaminsky, it puts both Facebook and its visitors at risk of these types of attacks. A parent domain typically trusts its subdomain, but in this case, the subdomain is actually run by “a bunch of advertisers,” he says.

“Facebook knows how important security is. But does the ad server [with a Facebook subdomain name] know that?” says Kaminsky, who along with Jason Larsen, senior security consultant for IOActive, went public with their PITM research on Saturday at ToorCon.

An attacker could steal cookies, execute a phishing exploit mimicking Facebook by injecting a fake Facebook site, or compromise a page on the legit site. (HTTPS-based resources are immune, however.)

And this subdomain security risk may not just be an ISP problem, researchers say. Danny McPherson, director of security research for Arbor Networks, says in a new blog post: "I would emphasize (as DMK did subtly note) that, even for the attacks DMK outlined, you do NOT have to be the ISP/packet data path at all to molest Internet users, just in the DNS 'control path'."

Kaminsky says the PITM problem itself was easy to spot and demonstrate, especially because XSS is so prolific. “Cross-site scripting is the new buffer overflow. It’s everyone’s first exploit."

He says he spoke with Earthlink about its vulnerability, which it has since fixed, and then to Barefruit engineers, whom he says were responsive and “on it” when he alerted them to the vulnerabilities, although they are still at risk of future such bugs. He says he decided to go public with the research at this time due to his and Larsen’s concerns about hotly debated language in Network Solutions’ DNS hosting contracts that includes the right to inject its own host into a purchased domain.

Earthlink uses Barefruit’s service, and since Comcast outsources some of its network to Earthlink, it’s also affected by this, Kaminsky says. Verizon is using a similar approach with a provider other than Barefruit, he says, as is Time Warner, and Qwest is trialing Barefruit.

Kaminsky and Larsen, meanwhile, have also sent letters to several major Websites they had discovered were at risk of these attacks. “We believe that the security hole is reasonably straightforward to fix, either by temporarily disabling the advertising server, or by resolving the error condition that allows Cross-Site Scripting,” they wrote. “We are contacting the affected ISP's to address at least the security issue in play. The fundamental trademark violation issue is outside our scope, however, we encourage you to pay close attention to this case, as the fundamental design of these advertising systems requires direct impersonation of your protected marks.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • IOActive
  • Comcast Corp. (Nasdaq: CMCSA, CMCSK)
  • EarthLink Inc. (Nasdaq: ELNK)
  • Verizon Communications Inc. (NYSE: VZ)
  • Arbor Networks Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Leak Week: Billions of Sensitive Files Exposed Online
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
    Lessons from the NSA: Know Your Assets
    Robert Lemos, Contributing Writer,  12/12/2019
    4 Tips to Run Fast in the Face of Digital Transformation
    Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-15
    In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
    PUBLISHED: 2019-12-15
    python-requests-Kerberos through 0.5 does not handle mutual authentication
    PUBLISHED: 2019-12-15
    CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
    PUBLISHED: 2019-12-15
    jersey: XXE via parameter entities not disabled by the jersey SAX parser
    PUBLISHED: 2019-12-15
    JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.