More than 70 Internet service providers are using a technique that can put their customers' online security at risk according to computer security expert Dan Kaminsky, who on Friday revealed how users of EarthLink could be targeted for various hacking exploits made possible through an agreement the ISP has with London-based advertising company BareFruit that attempts to make money when people misspell Web site names. Instead of displaying a simple error message when a mistyped Web site name is entered into a Web browser, the ISPs Kaminsky has uncovered present a page of suggested links with accompanying paid advertisements, and in the case of EarthLink Kaminski discovered a vulnerability that allowed insecure servers at BareFruit to present malicious content that appeared to come from major Web sites such as Google, eBay and PayPal.

Subverting Network Neutrality Tradition

The Internet domain name system (DNS), which converts text-based Web site names into the numeric Internet protocol (IP) addresses the Internet framework uses, is not the culprit in the type of security risk Kaminsky and fellow security researcher Jason Larson at Seattle-based security firm IOActive uncovered, but instead the cause is shared by ISPs which have sought to make money from what has traditionally been a simple error page, and advertising companies such as BareFruit which specialize in monetizing mistyped domain names.

Kaminsky presented research Saturday at the ninth annual ToorCon hacking conference showing that BareFruit operated Web servers vulnerable to relatively simple to exploit JavaScript cross-site scripting (XSS) security holes, which made it possible for attackers to create and display Web pages appearing to come from some of the Web's most trusted sites. Kaminsky showed examples of the exploit at the Saturday conference, displaying Web pages delivering malicious code on sites that appeared as trusted domains in the Web browser.

After being presented with Kaminsky's findings Friday EarthLink partner BareFruit quickly patched the vulnerabilities on its servers, however the danger of additional exploits will remain as long as ISPs continue to show customers their own content instead of displaying uniformly simple error messages when non-existent domain names are typed into Web browser address bars by mistake, according to Kaminsky. "The entire security of the internet is now dependent on some random ad server run by some British company," Kaminsky said in a recent Wired report. In addition to EarthLink, which began re-packaging requests for non-existent domains in August 2006 and injecting paid advertising, Kaminsky noted that certain Comcast subscribers were also at risk.

Making Money From Error Pages, ISPs Put Users At Security Risk

Luckily, the exploit Kaminsky revealed does not affect all incorrectly typed domain names, but only those entered as non-existent prefixes to existing domains, so-called sub-domains such as logon.google.com for example, which could be entered by mistake instead of login.google.com. In such situations an ISP can display an advertising-filled page of suggested links while the Web browser continues to show the Google domain name in the address box, even though the ISP doesn't own the Google domain name, a situation Kaminsky believes may bring up not only security concerns, but also potential copyright issues. Some Web security analysts believe users are more apt to be fooled by malicious Web pages that masquerade as a large trusted Web site, especially when the name of that company is in the Web browser's address bar.

Attackers exploiting the vulnerability could have created custom links on their Web sites using thousands of non-existent sub-domains tacked in front of highly trusted Web sites, leading anyone unfortunate enough to click on such a link to potential security risks limited only by the attackers' programming skills. The technique could display a bank or PayPal logon page with a domain ending in that bank's name or paypal.com, while the actual page content would exist on the attackers' Web servers. Kaminsky and Larson were also able to exploit the EarthLink and BareFruit vulnerability to steal the Web browser cookie files on user's computers - the small text files used by many Web sites to store information such as user names and passwords and shopping cart records.

A Spreading Practice

Kaminsky, who is considered one of the top experts on DNS security, noted that along with EarthLink, other large ISPs including Comcast, Qwest, Cox Communications, Verizon and Time Warner's AOL are using the type of injected content non-existent domain name redirection that makes such attacks possible, placing the burden of authenticity not on the owners of actual domain names, but on ISPs and their advertising partners. "This is not actually rare. This is not a small thing," Kaminsky noted in a recent report.

"This kind of practice means the security of the Web is being limited to the security of this ad server," Kaminsky noted Friday in a Security Fix report. "My work is to secure the Web and other computer infrastructure, but this becomes near impossible when other people are injecting content into domains that I am professionally trying to secure. I can audit every single line of code in the browser and in the Web site, and I still have no idea what the Web site is going to send the browser because who knows what's going to make it through all those devices? ," added Kaminsky.

Citing the possibility of using the exploit to spoof governmental domains, Kaminsky noted that, "Somebody running an ad server controls the security of whitehouse.gov. This is not a good situation." Kaminsky and Larsen have called this type of exploit a "provider in the middle," or PiTMA attack.

Some Claim Net Neutrality Violation

By abandoning what has until recently been a key tenet of the founding framework of the Web - not changing information shown to users en route - some ISPs appear to have moved towards making additional money through incorrectly typed domain names, and away from the principles of so-called Net Neutrality. "There's no contractual obligation for ISPs not to change content and inject ads," Kaminsky lamented in the Wired report.

For its part, EarthLink has portrayed the practice of displaying advertising-filled "suggestion" pages as a helpful service to its subscribers, even after Kaminsky and Larson's research came to light. "We offer DNS error functionality for our customers through Barefruit to enhance our users' experience, and we work closely with Barefruit to provide a safe and convenient way for them to find the destination they're looking for online," Chris Marshall, an EarthLink representative noted, according to Wired. Making no mention of the exploits such practices make possible, Marshall added, "We believe that the service provides a positive experience for our Internet users."

BareFruit too sought to portray the practice as a helpful service to customers, by "providing an improved Internet user interface by replacing unhelpful and confusing error messages with alternatives relevant to what the user was seeking," according to BareFruit spokesman Dave Roberts in the Wired report. David Grubert, a spokesperson for ISP giant Cox Communications, told the Washington Post that his company uses BareFruit as a part of an agreement with Sunnyvale, California-based Web media pioneer Yahoo.

EarthLink and other ISPs which continue the practice of injecting advertisements where non-existent domain error messages typically reside say that the service is "opt-out," allowing subscribers to turn it off if they choose to, however the method can be difficult for many typical users.

Related Links:

• Wired article
• Washington Post article
• Register article
• IDG / PC World article
• ComputerWorld article
• eWeek article
• Mashable article
• PC Pro article
• Dan Kaminsky research (PowerPoint file)
• WebmasterWorld thread about sub-domain hijacking
• WebmasterWorld's Domain Names forum