Okay, say you use a Web browser like Internet Explorer, Firefox, Opera, or Safari. And you don’t have any special add-ons or extensions help you auto-correct the input of URLs into the main search bar. If you so happen to misspell a domain, you might get directed to a page run by your ISP, laden with advertisements and advertisements and more advertisements. Pretty much all advertisements, really. Which is kind of annoying, but alright, not the worst thing to happen in the grand scheme of things, right?
Wrong. So says security researcher Dan Kaminsky of IOActive, who, according to a report by Ryan Singel of Wired’s Threat Level blog, understood that prior to this past Friday, ISPs had on their hands a fairly large hole that may have been exploited by phishers and other cyber malfeasants “to distribute fake websites or malicious code.” In particular, service providers like Earthlink and Comcast, were told that their subscribers were at risk.
Kaminsky is offering an assurance that the threat has been addressed and patched late last week, but he says that “the underlying danger lingers.” According to his findings, the advertisements delivered through those error portals are distributed by a UK-based company called Barefruit. Kaminsky goes on to argue that “the security of the Internet is now dependent on some random-ass server run by some British company.”
Some might take Kaminsky’s warning to be somewhat excessive in alarm, but an explanation given for what might have occurred through said advertisement pages offers plenty to be concerned over.
“…those subdomains are only as secure as Barefruit’s servers, which turned out to be not very secure at all. Barefruit neglected basic web programming techniques, making its servers vulnerable to a malicious Javascript attack. That meant hackers could have crafted special links to unused subdomains of legitimate websites that, when visited, would serve any content the attacker wanted.
The hacker could, for example, send spam e-mails to Earthlink subscribers with a link to a webpage on money.paypal.com. Visiting that link would take the victim to the hacker’s site, and it would look as though they were on a real PayPal page.
Kaminsky demonstrated the vulnerability by finding a way to insert a YouTube video from 80s pop star Rick Astley into Facebook and PayPal domains. But a black hat hacker could instead embed a password-stealing trojan. The attack might also allow hackers to pretend to be a logged-in user, or to send e-mails and add friends to a Facebook account.”
If such hacks were in fact possible simply through the error-prone keyboard inputs of average Web users - and there’s little reason to suspect Kaminsky is playing the role of a misleading and deceptive alarmist, given his well-regarded status in the computer security field - then it may well behoove all Web users to pay extra special attention to Internet requests made through their browsers. Perhaps a good solid URL auto-correction add-on would be a smart item to download today, if you haven’t done so already.
(Kaminsky profile image: Fak3r.com)
---
Related Articles at Mashable! - The Social Networking Blog:
Iran Temporarily Blocks Google “Due to an Error”
Another Weird Patent for Amazon: Error Pages
British ISPs to Delve into Behavioral Ads, Too
Masters.org: Extensive Web Coverage of Drives, Bogeys, and Birdies
The Daily Poll: Is Google in the Wrong for “Hijacking” 404 Pages?
The Daily Poll: ISPs Serving Behavioral Ads - Invasion of Privacy?
If Google is Wrong (on 404s), Then I Don’t Wanna Be Right
