A vulnerability in servers used by EarthLink to handle mistyped Web page requests may have allowed attackers to launch undetectable phishing attacks against any Internet site, according to a noted Internet security researcher.
The bug, which was patched earlier this week, underscores a fundamental security risk in the way that some ISPs are attempting to generate advertising revenue from mistyped Web addresses, said Dan Kaminsky, director of penetration testing with IOActive, a security consulting firm.
The vulnerability was in a service called Barefruit, which Earthlink has been using since August 2006 to return Web pages with search terms and advertising to customers who mistype a domain name in their browser.
Because of a bug in the software used to redirect users to these advertising and search pages, Kaminsky was able to get the pages to run his own JavaScript code. With the browser treating this code as if it were from a legitimate domain, Kaminsky was able to steal users’ cookies, create fake Web sites that appeared to be hosted on legitimate domains, and even log into certain Web sites without authorization.
Generating revenue from domain name typos has generated controversy before. In 2003, domain name registrar Verisign was forced to disable a similar system called SiteFinder, which redirected Web surfers who had typed nonexistent domains.
EarthLink is not the only ISP to be testing this system. Kaminsky said he found evidence of Barefruit or similar systems being tested on Verizon, Time Warner, Qwest and Comcast, which outsources some of its network to EarthLink.
Loading ...
Feeds 
