URL Typo Correction Services Kill

« The Problem With EV SSL | Main | XSS Watch, PA Primary Special Edition »

April 21, 2008

URL Typo Correction Services Kill

ISPs eager to monetize their users’ mistyped URLs are setting them up for trouble as the servers that handle the typo correction prove vulnerable to assorted attacks.

Being an OpenDNS user, I haven’t noticed whether my particular ISP does this or not. I’d guess it doesn’t, just because it’s pretty hands-off. If yours is, maybe OpenDNS is an alternative to consider.

“That fat-fingered URL could result in more than just a page error: Major broadband ISPs such Earthlink, Comcast, and Verizon, are running advertising servers that capture such error traffic, but these servers are also are putting major Websites as well as their visitors at risk of cross-site scripting (XSS) and other attacks, according to researchers.

“Dan Kaminsky, director of penetration testing for IOActive, at ToorCon in Seattle this weekend demonstrated what he calls a ‘Provider-in-the Middle Attack’ or PITMA, an attack that steals cookies and injects content into legitimate Web pages via an ad server — in the demo, an Earthlink ad server — that contained a cross-site scripting flaw. He showed the attack to illustrate how these ad servers, which redirect a user that types in an incorrect URL, can be abused by the bad guys to compromise the Associated Press, Facebook, MySpace, and other Websites.

“Kaminsky said in an interview prior to his demo at ToorCon that the ad servers, which are run by the advertisers on behalf of the ISPs, impersonate some trademarked domains via DNS. But ISPs aren’t intentionally putting legitimate sites such at risk, and the problem is more a side effect of this ad server model. ‘They are trying to monetize the vast number of eyeballs that go through them but don’t stop along the way… I don’t think the [security problem] is intentional. No one set out to make the Web less secure,’ Kaminsky says.

“But that’s just what this arrangement has done, he says. ISPs are working with error-resolution services, such as Barefruit, that help squeeze ad revenue out of URL typos so that when a user mistypes www.facebook.com, for example, his ISP sends him to a URL that’s an available subdomain of Facebook that contains ads for alternative sites to Facebook on the page, for instance. ‘They say [to the ISP]: ‘You deploy this box, and we’ll dynamically register and create these records when a user mistypes something,” Kaminsky says.”

(Link)

Previously: