Via Wired.com -
Seeking to make money from mistyped website names, some of the United States' largest ISPs instead created a massive security hole that allowed hackers to use web addresses owned by eBay, PayPal, Google and Yahoo, and virtually any other large site.
The vulnerability was a dream scenario for phishers and cyber attackers looking for convincing platforms to distribute fake websites or malicious code.The hole was quickly and quietly patched Friday after IOActive security researcher Dan Kaminsky reported the issue to Earthlink and its technology partner, a British ad company called Barefruit. Earthlink users, and some Comcast subscribers, were at risk.
Kaminsky warns that the underlying danger lingers on.
"The entire security of the internet is now dependent on some random-ass server run by some British company," Kaminsky said.
At issue is a growing trend in which ISPs subvert the Domain Name System, or DNS, which translates website names into numeric addresses.
When users visit a website like Wired.com, the DNS system maps the domain name into an IP address such as 72.246.49.48. But if a particular site does not exist, the DNS server tells the browser that there's no such listing and a simple error message should be displayed.
But starting in August 2006, Earthlink instead intercepts that Non-Existent Domain (NXDOMAIN) response and sends the IP address of ad-partner Barefruit's server as the answer. When the browser visits that page, the user sees a list of suggestions for what site the user might have actually wanted, along with a search box and Yahoo ads.
The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn't exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it's the official Google site.
As a result, all those subdomains are only as secure as Barefruit's servers, which turned out to be not very secure at all. Barefruit neglected basic web programming techniques, making its servers vulnerable to a malicious Javascript attack. That meant hackers could have crafted special links to unused subdomains of legitimate websites that, when visited, would serve any content the attacker wanted.
The hacker could, for example, send spam e-mails to Earthlink subscribers with a link to a webpage on money.paypal.com. Visiting that link would take the victim to the hacker's site, and it would look as though they were on a real PayPal page.
No comments:
Post a Comment