When Monetizing ISP Traffic Goes Horribly Wrong
In seeking to further monetize Web site traffic on their networks, a number of major Internet service providers may be inadvertently exposing their customers to a greater risk of online attack from identity thieves, according to research released today.
Many ISPs have already adopted the controversial practice of serving advertisements when a customer tries to browse to a Web site that does not exist. But a growing number of providers also are serving ad-filled pages when customers request a subdomain of a Web site that does not exist, such as something.example.com. This practice, which experts say potentially introduces new copyright violation claims, also potentially introduces security threats when ISPs outsource the ad-serving process to third parties.
The findings come from Dan Kaminksy and Jason Larsen, security researchers from IOActive, a security company based in Seattle, the site of the Toorcon hacker conference where the two are expected to unveil their research today. Update, 3:52 p.m. ET: The slides from their talk can be found here.
According to the duo, ISPs like Earthlink, Qwest and Verizon have outsourced at least portions of their ad-serving technology to BareFruit, a London-based company that specializes in helping ISPs monetize wayward Web searches. The trouble is that until late this week, BareFruit's ad servers were vulnerable to what Kaminsky called a "trivial to find and exploit" vulnerability that would make it simple for fraudsters to trick users of those ISPs into visiting malicious Web sites that appear to be located at trusted sites.
So, for example, the customer clicks on a link like http://something.example.com, and while that link would indeed load the "example.com" site in the user's browser, the vulnerability would allow fraudsters to load hostile content from another site into the user's browser, such as a fake login page.
Kaminsky and Larsen also found they could use the vulnerability to steal cookies on the user's machine. Cookies are simple text files that many sites store on visitors' machines to record information that identifies the user when they return. By swiping someone else's cookies, it is often possible to log in as that victim at the Web site that issued the cookie.
The researchers said the vulnerability that allowed this kind of access to ISP users resulted from a simple cross-site scripting (XSS) flaw in the Barefruit service. Cross-site scripting vulnerabilities occur when Web sites accept input from the user -- usually from something like a search box or an e-mail form -- but do not properly filter that input to strip out or disallow potentially malicious code. The danger is that phishers and online scammers can exploit these types of flaws to make their scams appear more legitimate, because XSS vulnerabilities allow the attacker to force the target site to load content from somewhere else.
Kaminsky, widely considered one of the foremost experts on the security of the domain name system (DNS, as it's more commonly called, is the method by which Web site names are mapped to numeric Internet addresses), said he discovered ISPs were using Barefruit by mapping DNS requests from BareFruit's servers back to residential customers at various providers. He said the discovery disturbed him because it means many ISPs are placing the security and privacy of their customers squarely in the hands of a third-party ad company.
"This kind of practice means the security of the Web is being limited to the security of this ad server," Kaminsky told Security Fix on Friday. "My work is to secure the Web and other computer infrastructure, but this becomes near impossible when other people are injecting content into domains that I am professionally trying to secure. I can audit every single line of code in the browser and in the Web site, and I still have no idea what the Web site is going to send the browser because who knows what's going to make it through all those devices?"
BareFruit spokesman Dave Roberts said the company fixed the vulnerability this week after receiving word from the IOActive researchers. But the ISPs alleged to be engaging in this process were a bit more cagey about acknowledging their use of BareFruit to monetize traffic to nonexistent domains and subdomains.
Earthlink declined to make someone available to discuss the company's practices on this front, but it did acknowledge that it uses BareFruit's DNS error functionality "to enhance our users' experience," the company said in a statement e-mailed to Security Fix. "We believe that the service provides a positive experience for our Internet users. We continue to watch our system closely, quickly resolve any issues that occur, and listen to what our customers tell us about their online experience."
Cox Communications spokesman David Grubert said the company uses BareFruit through its partnership with search engine giant Yahoo. Grubert said the company currently does not use BareFruit to inject ads when customers request nonexistent subdomains, but that the company was considering implementing that feature in the future.
Kaminsky presented Security Fix pages of records showing numerous Verizon DSL customers being redirected through BareFruit's Web servers. Verizon spokesman Eric Rabe said that while the company does use Yahoo to monetize traffic for nonexistent and subdomain errors, he was emphatic that Verizon does not use BareFruit's service.
Registrar and hosting provider Network Solutions also has acknowledged that it also serves ads on nonexistent subdomains that its customers own. Qwest officials did not return calls seeking comment.
John R. Levine, author of The Internet for Dummies, said Internet users -- at least here in the United States -- can expect to be exposed to more vulnerabilities such as those highlighted by Kaminsky and Larsen, as long as ISPs continue to be given so much leeway with the privacy and security of their customers.
"Large ISPs tend to have terms of service that say whatever we give you is what you bought," Levine said. "The ISPs will say they're doing wonderful favors for users who might have to otherwise go back and type in the real name of the site they're seeking. But the reality is that anytime ISPs add yet another level of complexity to their networks, they necessarily introduce more security bugs."
Kaminsky said the practice of subdomain DNS error hijacking is partly illustrative of what he calls the "Times Square effect:" The ads shown in movie and TV depictions of all the blinking digital billboards in Times Square often are paid for and arranged in advance by advertisers, and don't necessarily reflect the same ads that an average visitor to the physical Times Square might see at any given day or time.
"There's no contractual obligation between, say Earthlink and washingtonpost.com to deliver content in a certain way, and theoretically trademark and copyright law is the only force that prevents [ISPs] from putting in whatever material they want, from adding or removing content to rejecting or replacing ads that were already on the site," Kaminsky said. "What we're seeing here is this first instance, trivially, of the Times Square effect coming into play, where there's no obligation to display content of various trademarked sites in a particular way. And as a side effect, it makes it more difficult to secure the Web when this kind of behavior takes place."
Bret A. Fausett, an intellectual property attorney and blogger at Cathcart, Collins & Kneafsey LLP in Los Angeles, said it's tough to say ISPs are breaking the law when they place their own ads on sites that are for all intents and purposes otherwise owned by companies with a trademark claim to those domains. But that doesn't mean ISPs are legally invulnerable to potential trademark infringement claims for this practice.
"If someone wants to go to Amazon.com and [the ISP serves] something for which there is no [DNS] record configured and the ISP captures that and throws up an ad for a competitor while the browser says I am at Amazon.com, I could make a trademark argument on that, sure," Fausett said.
Most ISPs that use BareFruit's service - either for domain or subdomain DNS errors - redirect the customer to a site that clearly explains that the requested domain was not found. But as long as these types of vulnerabilities are around, ISPs can not effectively control what their customers see in the address field of their browser, Kaminsky said.
"Indeed, it is our sense that the HTTP web becomes insecurable if man-in-the-middle attacks are monetized by providers -- if we don't know what bits are going to reach the client, how can we control for flaws in those bits?" Kaminsky said.
Most Internet providers that hijack errant DNS queries from customers say the service is "opt-out," in that customers can disable the service if they like. Web site owners can create what's known as a "wildcard" DNS 'A' record for their domains, which can be assigned so that any unrecognized subdomains requested by the visitor result in the user being routed to the main Web site. The DNS redirection services being employed by ISPs and hosting providers only work on sites that have not included these "A records."
April 19, 2008; 2:00 PM ET
Categories: From the Bunker
Save & Share: Previous: Windows Vista Service Pack 1: Not for the Impatient
Next: Java Update Released
Posted by: Robert | April 19, 2008 5:26 PM | Report abuse
Posted by: Dan Kaminsky | April 19, 2008 5:28 PM | Report abuse
Posted by: jim | April 19, 2008 7:52 PM | Report abuse
Posted by: William | April 19, 2008 8:19 PM | Report abuse
Posted by: greg | April 19, 2008 9:03 PM | Report abuse
Posted by: Jeremy | April 19, 2008 10:10 PM | Report abuse
Posted by: Jimmy Woo | April 20, 2008 12:56 AM | Report abuse
Posted by: Jimmy Woo | April 20, 2008 12:58 AM | Report abuse
Posted by: cerebral_but | April 20, 2008 10:15 AM | Report abuse
Posted by: Gerald | April 20, 2008 2:43 PM | Report abuse
Posted by: Bups | April 20, 2008 3:26 PM | Report abuse
Posted by: GTexas | April 20, 2008 5:16 PM | Report abuse
Posted by: Mike | April 20, 2008 5:38 PM | Report abuse
Posted by: Buck | April 21, 2008 9:36 AM | Report abuse
Posted by: Anonymous | April 22, 2008 10:08 AM | Report abuse
Posted by: Fred | April 24, 2008 10:17 AM | Report abuse
Posted by: embarqsuks.com | April 28, 2008 5:55 PM | Report abuse
Posted by: Lance Quagmire | April 29, 2008 2:43 PM | Report abuse
The comments to this entry are closed.