Some of the U.S.'s largest ISPs are seeking to make money off mistyped website names and instead created gaping security holes in the web's largest websites, including eBay, PayPal, Google and Yahoo, making it possible for hackers to turn any site on the net into a source of malware, a security researcher revealed Saturday.
The massive vulnerability introduced by Earthlink and Comcast was quietly and quickly patched on Friday, after IOActive security researcher Dan Kaminsky reported the vulnerability to Earthlink and its technology partner Barefruit.
The hole was made possible by ISPs subverting the Domain Name System or DNS, which translates website names into numeric addresses. Instead of simply returning an error message to a user's browser when a user typed the name of a website that doesn't exist, Earthlink and others instead substitute a page of Yahoo ads and suggest alternate spellings for the non-existent site.
The ads are served up by a British company called Barefruit, which pretends to actually to be the non-existent domain when delivering the ads.
Due to unforeseen consequences and Barefruit's failure to screen for rogue JavaScript code, that forgery allowed a hacker to create perfect fraud site imitating eBay that looked in the browser address bar to actually be legitimately hosted on ebay.com.
A hacker could also easily have inserted whatever Trojans he wanted into any site on the Internet, so long as he could get someone using one of these ISPs to click on a specially crafted link.
The news of the massive security breach created by ISPs subverting internet protocol for profit comes just two days after the Federal Communication Commission held a hand-wringing public forum at Stanford University over whether it should punish Comcast its violation of a standard internet practices by sending fake packets to its users in order to reduce the amount of bandwidth peer-to-peer applications use.
Kaminsky is demoing the hole publicly on Saturday at the Toorcon security conference in Seattle.
Kaminsky, a well-respected security expert, is perhaps best known for cleverly proving that a spyware rootkit Sony included on music CDs infected computers in more than half a million computer networks in 2005.
While Barefruit fixed the immediate JavaScript hole, the underlying problem -- that large ISPs are ignoring a core internet practice to make money and pretending to be sites that don't exist means every site on the net remains vulnerable in ways they have no control over, according to Kaminsky.
"The entire security of the internet is now dependent on some random ad server run by some British company," Kaminsky said, adding that he'd talked this week to many internet companies who were pissed, though not at him.
"I can't secure the web as long as ISPs are injecting other content into web pages."
The hole shows the risks of allowing ISPs to violate Net Neutrality principles that seek to keep the internet a series of dumb pipes, according to Kaminsky.
"There's no contractual obligation for ISPs not to change content and inject ads," Kaminsky notes.
DNS expert Paul Vixie says the problem Kaminsky found isn't with the core internet protocols, which he could fix, but instead is a "problem exacerbated by inappropriate monetization of certain DNS features."
Vixie, who is the president of the non-profit Internet Systems Consortium, compared this ISP behavior to Verisign's 2003 Site Finder project, which it unilaterally launched in September 2003 and then shut down a month later.
In that case, VeriSign, which controls the sales of .com and .net top-level domains through a contract with the U.S. government, began directing users who mistyped domains names to its own servers, where it presented paid search results.
The move outraged the technical community and eventually led to an ICANN commission report (PDF) condemning the practice and an unsuccessful VeriSign lawsuit against ICANN.
"Site Finder showed that [Non-Existent] domain re-mapping is bad for the community," Vixie said. "This would be an example of why it is bad."
Earthlink isn't alone in substituting ad-pages for error messages, according to Kaminsky, who has seen similar behavior from other major ISPs including Verizon, Time Warner, Comcast and Qwest. Earlier this month, Network Solutions, one of the net's largest domain name registrars, was caught creating link farms on nonexistent subdomains of websites owned by its own customers.
Starting in August 2006, Earthlink changed how it handled the process of turning requests for a domain name such as Youtube.com into the numeric IP address of the sites server, hiring a British company called Barefruit to help it make money from this system.
When a user wants to visit a website, a browser asks a DNS server, usually provided by an ISP, to translate a domain name like Wired.com into an IP address such as http://72.246.49.48. If a particular site does not exist, the DNS server tells the browser that there's no such listing and a browser displays a simple error message that the site does not exist.
But using Barefruit's technology, Earthlink instead intercepts that Non-Existent Domain (NXDOMAIN) response and sends the IP address of Barefruit's ad server as the answer. When the browser visits that that page, the user sees a list of suggestions for what site the user might have actually wanted, along with a search box and Yahoo ads.
The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain "webmale" doesn't exist, unlike "mail" in http://mail.google.com. So, in this case, Earthlink/Barefruit ads appear in a browser where the address bar says you are on a Google site.
That in itself raises some interesting and ongoing trademark questions, but the problem went further since Barefruit forgot some basic web programming techniques which exposed its servers – and therefore every website on the internet – to a malicious JavaScript attack.
The problem Kaminsky found is that a hacker could create a url that included JavaScript as part of the invalid subdomain. When Barefruit's ad server went to display suggestions, it tried to display the name of the supposedly mistyped URL, but instead injected the rogue JavaScript into the page of ads.
That would allow an intrepid hacker to insert any code he liked into any site on the internet, and have it look to be completely legitimate since your browser bar would say that you are visiting an official Google, PayPal, Ebay or Facebook page. Kaminsky demonstrated this by finding a way to insert a YouTube video from 80s pop star Rick Astley into sites such as Facebook and PayPal, but a black hat hacker would instead embed a password-stealing Trojan.
The hole also allowed a hacker to pretend to be a logged-in user, and could send out emails in your name or add friends to your Facebook account.
While Kaminsky credits Earthlink and Barefruit for quickly rectifying the JavaScript problem, security, net neutrality and trademark issues still remain due to Barefruit's pretending to be websites it is not, he says.
For its part, Earthlink says the Barefruit ad pages are useful to users.
"We offer DNS error functionality for our customers through Barefruit to enhance our users' experience, and we work closely with Barefruit to provide a safe and convenient way for them to find the destination they're looking for online," Earthlink spokesman Chris Marshall said via email. "We believe that the service provides a positive experience for our Internet users."
Barefruit echoes the sentiment.
"Barefruit endeavours to ensure online security while providing an improved Internet user interface by replacing unhelpful and confusing error messages with alternatives relevant to what the user was seeking," Barefruit's Dave Roberts said via email.
For Vixie, however, the issue is simple.
"I really feel if someone goes to a website that does not exist, they ought to see an error message," Vixie said. "If they would really rather see a search engine page, there are plug-ins for Internet Explorer and Firefox they can install."
Earthlink customers who do not wish to use the service can instead use different Earthlink DNS servers. Anyone can also use OpenDNS, a start-up that also provides ad pages on domains that don't resolve, but does so without pretending to be the other site.
Photo: Quinn Norton/Wired.com, Screenshots: Attack application and "Rick-Rolled" Facebook page courtesy of Dan Kaminsky See Also:
