RSSCross-site scripting vulnerability may affect Earthlink, other ISPs
By Michael Hatamoto | Published April 23, 2008, 3:21 PM
Security research firm IOActive notes that several ISPs, including Earthlink, are using advertising servers to collect revenue on misspelled URLs, but alleges that in so doing, they may have mistakenly exposed users to cross-site scripting.
Dan Kaminsky, the group's director of penetration testing, reported that a bug on Earthlink servers may have allowed hackers to launch phishing attacks through the third-party Barefruit service used by several ISPs. Barefruit is a service whose stated purpose is to help ISPs catch DNS errors and redirect users appropriately. However, ISPs took advantage of that redirection by building error-catching pages that included paid advertisements. Earthlink was notoriously caught using Barefruit for this purpose in 2006.
Kaminsky, describing the provider-in-the middle (PiTMA) attacks during the Toorcon security conference in Seattle, Washington (PowerPoint slides available here), was able to exploit the bug and insert his own JavaScript code that allowed him to steal authentication cookies, create fake subdomains, and log into other users' accounts using stolen passwords. Also during his presentation, Kaminsky was able to easily add the YouTube Rick Astley music video to Facebook, PayPal, Fox News and Toorcon.
Earthlink and Barefruit announced a patch to the bug found by Kaminsky, though they chose not to discuss other security issues related to Earthlink's method of covert advertising. Earthlink said it will continue to use Barefruit in the future, but warned it will closely watch the system moving forward. It is possible there are similar vulnerabilities that put Internet users at risk when heading to mistyped URLs, even though ISPs are now aware of the problem.
I've been with Earthlink for many years (I recall buying a PC magazine with two Earthlink floppy discs bundled for Windows 3.1...how long ago? 1994?), and this troubling Barefruit redirecting issue, also putting ads on the webmail of paying Earthlink members, has got me looking elsewhere. They used to be a great ISP and the best dialup available by far back in the day, but they've gotten worse and worse over the years. Cheesy and slow, and crappy software. Just talk to old Mindspring fans. Now that was a great ISP, but Earthlink killed it. Earthlink used to have great service and be a cool, friendly company. Not anymore.
Score: 0