Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:58 AM
Connect Directly

'Provider-in-the-Middle Attacks' Put Major Websites, Users at Risk

Researchers discover that ad servers from over 70 ISPs, such as Earthlink and Comcast, put trademarked sites - and users who visit them - at risk of cross-site scripting, other attacks

9:58 AM

That fat-fingered URL could result in more than just a page error: Major broadband ISPs such Earthlink, Comcast, and Verizon, are running advertising servers that capture such error traffic, but these servers are also are putting major Websites as well as their visitors at risk of cross-site scripting (XSS) and other attacks, according to researchers.

Dan Kaminsky, director of penetration testing for IOActive, at ToorCon in Seattle this weekend demonstrated what he calls a “Provider-in-the Middle Attack” or PITMA, an attack that steals cookies and injects content into legitimate Web pages via an ad server -- in the demo, an Earthlink ad server -- that contained a cross-site scripting flaw. He showed the attack to illustrate how these ad servers, which redirect a user that types in an incorrect URL, can be abused by the bad guys to compromise the Associated Press, Facebook, MySpace, and other Websites.

Kaminsky said in an interview prior to his demo at ToorCon that the ad servers, which are run by the advertisers on behalf of the ISPs, impersonate some trademarked domains via DNS. But ISPs aren’t intentionally putting legitimate sites such at risk, and the problem is more a side effect of this ad server model. "They are trying to monetize the vast number of eyeballs that go through them but don’t stop along the way... I don’t think the [security problem] is intentional. No one set out to make the Web less secure," Kaminsky says.

But that’s just what this arrangement has done, he says. ISPs are working with error-resolution services, such as Barefruit, that help squeeze ad revenue out of URL typos so that when a user mistypes www.facebook.com, for example, his ISP sends him to a URL that’s an available subdomain of Facebook that contains ads for alternative sites to Facebook on the page, for instance. “They say [to the ISP]: 'You deploy this box, and we’ll dynamically register and create these records when a user mistypes something,'” Kaminsky says.

Here’s the rub: If that ad server containing a Facebook subdomain name carries a cross-site scripting or other vulnerability, for example, says Kaminsky, it puts both Facebook and its visitors at risk of these types of attacks. A parent domain typically trusts its subdomain, but in this case, the subdomain is actually run by “a bunch of advertisers,” he says.

“Facebook knows how important security is. But does the ad server [with a Facebook subdomain name] know that?” says Kaminsky, who along with Jason Larsen, senior security consultant for IOActive, went public with their PITM research on Saturday at ToorCon.

An attacker could steal cookies, execute a phishing exploit mimicking Facebook by injecting a fake Facebook site, or compromise a page on the legit site. (HTTPS-based resources are immune, however.)

And this subdomain security risk may not just be an ISP problem, researchers say. Danny McPherson, director of security research for Arbor Networks, says in a new blog post: "I would emphasize (as DMK did subtly note) that, even for the attacks DMK outlined, you do NOT have to be the ISP/packet data path at all to molest Internet users, just in the DNS 'control path'."

Kaminsky says the PITM problem itself was easy to spot and demonstrate, especially because XSS is so prolific. “Cross-site scripting is the new buffer overflow. It’s everyone’s first exploit."

He says he spoke with Earthlink about its vulnerability, which it has since fixed, and then to Barefruit engineers, whom he says were responsive and “on it” when he alerted them to the vulnerabilities, although they are still at risk of future such bugs. He says he decided to go public with the research at this time due to his and Larsen’s concerns about hotly debated language in Network Solutions’ DNS hosting contracts that includes the right to inject its own host into a purchased domain.

Earthlink uses Barefruit’s service, and since Comcast outsources some of its network to Earthlink, it’s also affected by this, Kaminsky says. Verizon is using a similar approach with a provider other than Barefruit, he says, as is Time Warner, and Qwest is trialing Barefruit.

Kaminsky and Larsen, meanwhile, have also sent letters to several major Websites they had discovered were at risk of these attacks. “We believe that the security hole is reasonably straightforward to fix, either by temporarily disabling the advertising server, or by resolving the error condition that allows Cross-Site Scripting,” they wrote. “We are contacting the affected ISP's to address at least the security issue in play. The fundamental trademark violation issue is outside our scope, however, we encourage you to pay close attention to this case, as the fundamental design of these advertising systems requires direct impersonation of your protected marks.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • IOActive
  • Comcast Corp. (Nasdaq: CMCSA, CMCSK)
  • EarthLink Inc. (Nasdaq: ELNK)
  • Verizon Communications Inc. (NYSE: VZ)
  • Arbor Networks Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 10/27/2020
    Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
    Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-10-28
    An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the msg_confirm_move template. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926&qu...
    PUBLISHED: 2020-10-28
    Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WLAN SSID parameter. This could allow an attacker to perform malicious actions in which the XSS popup will affect all privileged users.
    PUBLISHED: 2020-10-28
    An issue was discovered in QSC Q-SYS Core Manager 8.2.1. By utilizing the TFTP service running on UDP port 69, a remote attacker can perform a directory traversal and obtain operating system files via a TFTP GET request, as demonstrated by reading /etc/passwd or /proc/version.
    PUBLISHED: 2020-10-28
    The God Kings application 0.60.1 for Android exposes a broadcast receiver to other apps called com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver. The purpose of this broadcast receiver is to show an in-game push notification to the player. However, the applicatio...
    PUBLISHED: 2020-10-28
    A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread.