Subscribe to
Computerworld EarthLink redirect service poses security risk, expert says
Service used by EarthLink, NetSol and others goes horribly wrong
Active Comments
 The Security Zone
With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones
|
April 19, 2008 (IDG News Service) A vulnerability in servers used by EarthLink Inc. to handle mistyped Web page requests may have allowed attackers to launch undetectable phishing attacks against any Internet site, according to a noted Internet security researcher.
The bug, which was patched earlier this week, underscores a fundamental security risk in the way that some Internet service providers are attempting to generate advertising revenue from mistyped Web addresses, said Dan Kaminsky, director of penetration testing at IOActive Inc., a security consulting firm.
The vulnerability was in a service called Barefruit, which EarthLink has been using since August 2006 to return Web pages with search terms and advertising to customers who mistype a domain name in their browser.
London-based Barefruit operates a service that works with Domain Name System (DNS) servers, which are used by the browser to translate domain names, such as Yahoo.com, into numerical Internet Protocol addresses. Typically, when a browser asks a DNS server for a nonexistent Internet address -- adsewrds.yahoo.com, for example -- the DNS server returns an error message indicating that no such address exists. With Barefruit's servers, the user is told that the address does exist and is then sent to a Web page that displays advertising and suggested search terms.
Because of a bug in the software used to redirect users to these advertising and search pages, Kaminsky was able to get the pages to run his own JavaScript code. With the browser treating this code as if it were from a legitimate domain, Kaminsky was able to steal users' cookies, create fake Web sites that appeared to be hosted on legitimate domains, and even log into certain Web sites without authorization.
Generating revenue from domain name typos has generated controversy before. In 2003, domain name registrar VeriSign was forced to disable a similar system called SiteFinder, which redirected Web surfers who had typed nonexistent domains.
EarthLink is not the only Internet service provider to be testing this system. Kaminsky said he found evidence of Barefruit or similar systems being tested on Verizon, Time Warner, Qwest and Comcast, which outsources some of its network to EarthLink.
"The security of the entire Web for these ISPs is right now limited by the security of some random ad server run by a British company," he said. "Somebody running an ad server controls the security of whitehouse.gov. This is not a good situation."
A Verizon Communications Inc. spokesman said that his company was not using the Barefruit service.
In a statement, EarthLink confirmed that it had patched Kaminsky's bug but did not address the broader security concerns that Kaminsky believes are raised by this model.
Reprinted with permission from
IDG.netStory copyright 2008 International Data Group. All rights reserved.
Today's Top Stories
Resource Alerts
Webcasts
Web Threats Don't Discriminate
The Secure Web Gateway. Mission Critical For Business
Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare
Editor's Picks
Clues point to Jan. 13 release of Windows 7 beta
Microsoft releases Vista SP2 beta
Obama's DHS pick may find support for raising H-1B cap at confirmation hearing
IBM wants info from Apple execs in Papermaster case
License server glitch exposes SonicWall users to e-mail security threats
Report: Former AOL chief exec tries to raise funds to buy Yahoo
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.New baits 
|
|
 |
|
Patrick Thibodeau: Satellite images of U.S military bases Which is more important? Helping terrorists or protecting military bases? Answer: protecting Web 2.0 ... [more] |
| White Papers  Read up on the latest ideas and technologies from companies that sell hardware, software and services. | ||||||
|
