Major ISPs Injecting Ads, Vulnerabilities Into Web 116
Rebecca Bug writes "Several Web sites (Wired, eWEEK, The Washington Post) are reporting on Dan Kaminsky's Toorcon discussion of a serious security risk introduced when major ISPs serve ads on error pages. Kaminsky found that the advertising servers are impersonating, via DNS, hostnames within trademarked domains. 'We have determined that these injected servers are, in fact, vulnerable to cross-site scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites,' Kaminsky said, identifying EarthLink, Verizon and Qwest among the ISPs."
Re:This is NOT new (Score:2, Informative)
Verizon (Score:4, Informative)
Perhaps if there's enough coordinated consumer demand, we could create a market for a certified "standard Internet connection" -- which gives a public IP (static or DHCP) and unfiltered, unadulterated 'Net access -- no port blocking, no bandwidth throttling, no DHCP redirects, no PPPoE or other strange "install-this-software-to-connect-to-the-Internet" schemes. Just gimme a basic 'Net feed terminating in an Ethernet port, thankyouverymuch.
Also, apparently I have yet to "decide" whether I want to choose MSN, AOL, or Yahoo for my "Internet Experience." Such a decision might well take me a while, Verizon...
More Data (Score:5, Informative)
There's more data here:
http://www.doxpara.com/DMK_Neut_toor.ppt
And this is what I sent (many, many) affected sites:
IOActive Security Pre-advisory: Non-Neutral Major ISP Behavior Injecting Security Vulnerabilities Into Entire Web
Dan Kaminsky, Director of Penetration Testing, IOActive Inc.
Jason Larsen, Senior Security Researcher, IOActive Inc.
Executive Summary: A number of major broadband ISP's have deployed advertising servers that impersonate, via DNS, hostnames within your trademarked domain. We have determined that these injected servers are, in fact, vulnerable to Cross-Site Scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites. Due to recent activity by Network Solutions, we believe this vulnerability will be discovered shortly, and we will thus be unveiling this matter on Saturday, April 19th, at the Seattle Toorcon security conference. We believe that the security hole is reasonably straightforward to fix, either by temporarily disabling the advertising server, or by resolving the error condition that allows Cross-Site Scripting. We are contacting the affected ISP's to address at least the security issue in play. The fundamental trademark violation issue is outside our scope, however, we encourage you to pay close attention to this case, as the fundamental design of these advertising systems requires direct impersonation of your protected marks.
Details: We would prefer to keep the names and mechanisms required for this vulnerability under wraps, at least for the next few days, while the ISP's in question manage and mitigate the security implications of this behavior. We can confirm the following attacks have been verified to work against your site, via this XSS vulnerability:
A) Arbitrary cookie retrieval. Any web page on the Internet can retrieve all non-HTTP-only cookies from your domains.
B) Fake site injection. A victim can be directed to "server2.www.realsite.com" or "server3.www.realsite.com", which will appear to be a host in your domain. We believe any phishing attempts from this perfect-address spoofed subdomain are more likely to be successful.
C) Full page compromise. A victim can be directed to your actual HTTP site, with all logged in credentials, and our attack page will still be able to fully manipulate the target site as if we ourselves were the victim. Note, while we cannot attack HTTPS resources, we can prevent upgrade from HTTP to HTTPS. This may affect any shopping carts within your sites.
We believe this behavior is illustrative of the risks of violating Network Neutrality. Indeed, it is our sense that the HTTP web becomes insecurable if man-in-the-middle attacks are monetized by providers -- if we don't know what bits are going to reach the client, how can we control for flaws in those bits?
We do not believe the vulnerability is intentional, only the injection. We were partially involved in the discovery of the Sony Rootkit some time ago; we recognize this pattern. That case resolved itself reasonably, and we are hopeful this one can be managed well as well. If your technical, press, or legal staff has any comments on this matter, please feel free to contact us at dan.kaminsky@ioactive.com. This is a matter that strikes at the core of the viability of HTTP as a medium for business, and we are committed to defending this medium for your operations. Thank you!
Yours Truly,
Dan Kaminsky
Jason Larsen
PARENT POST LINKS TO MALWARE (Score:2, Informative)
Re:This article just reminded me.... (Score:5, Informative)
Re:Hit it with the Copyright Stick (Score:5, Informative)
The current problem with this is that a lot of security assumptions are tied to domains. So for instance, if you run a site called "blahblah.com", and an ISP hijacks the non-existant domain "bleh.blahblah.com", certain actions that are only permissable for interactions on the same domain will suddenly become available. That is, an insecure hijacked page provide an attack vector to your own site.
The ultimate problem with this (as the above is a fairly simple problem to fix) is that the ISP is leveraging the domain of a someone who has purchased an exclusive right to that domain. In addition, some domains are also trademarks, in which case they're violating trademark law. But at no stage are they violating copyright law, or modifying the original content, so that disclaimer you recommend wouldn't apply.
The Cross-site Scripting FAQ (Score:4, Informative)
http://www.cgisecurity.com/articles/xss-faq.shtml [cgisecurity.com]
OpenDNS hijacks www.google.com (Score:1, Informative)
OpenDNS endorsements/ads are entirely misplaced in a discussion about correct DNS use.
Re:Only mildly illegal. (Score:4, Informative)
You are incorrect. That battle was fought years ago and they won it: even the Telcos, which do fall under that regulation only count as common carriers for their voice services. Data services received an exemption and are consequently not subject to the universal coverage and quality-of-service standards to which phone companies must adhere.
Re:brought to you (Score:5, Informative)
I have been trying to get an article about Phorm [phorm.com] onto the front page for ages.
Maybe I should have tried this angle.
How about a compromised adserver on the Phorm [wikipedia.org] network?
Every BT, Virgin and Carphone Warehouse customer would have malware foisted upon them by their ISP.
News for American nerds, maybe. UK nerds might like to know about things like this without having to check the Phorm files [theregister.co.uk] at El Reg.