Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Cross-site scripting vulnerability may affect Earthlink, other ISPs

By Michael Hatamoto, BetaNews

April 23, 2008, 3:21 PM

Security research firm IOActive notes that several ISPs, including Earthlink, are using advertising servers to collect revenue on misspelled URLs, but alleges that in so doing, they may have mistakenly exposed users to cross-site scripting.

Dan Kaminsky, the group's director of penetration testing, reported that a bug on Earthlink servers may have allowed hackers to launch phishing attacks through the third-party Barefruit service used by several ISPs. Barefruit is a service whose stated purpose is to help ISPs catch DNS errors and redirect users appropriately. However, ISPs took advantage of that redirection by building error-catching pages that included paid advertisements. Earthlink was notoriously caught using Barefruit for this purpose in 2006.

Kaminsky, describing the provider-in-the middle (PiTMA) attacks during the Toorcon security conference in Seattle, Washington (PowerPoint slides available here), was able to exploit the bug and insert his own JavaScript code that allowed him to steal authentication cookies, create fake subdomains, and log into other users' accounts using stolen passwords. Also during his presentation, Kaminsky was able to easily add the YouTube Rick Astley music video to Facebook, PayPal, Fox News and Toorcon.

Earthlink and Barefruit announced a patch to the bug found by Kaminsky, though they chose not to discuss other security issues related to Earthlink's method of covert advertising. Earthlink said it will continue to use Barefruit in the future, but warned it will closely watch the system moving forward. It is possible there are similar vulnerabilities that put Internet users at risk when heading to mistyped URLs, even though ISPs are now aware of the problem.

Add a Comment (1 Comment)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By CT2001

posted Apr 24, 2008 - 12:10 PM

I've been with Earthlink for many years (I recall buying a PC magazine with two Earthlink floppy discs bundled for Windows 3.1...how long ago? 1994?), and this troubling Barefruit redirecting issue, also putting ads on the webmail of paying Earthlink members, has got me looking elsewhere. They used to be a great ISP and the best dialup available by far back in the day, but they've gotten worse and worse over the years. Cheesy and slow, and crappy software. Just talk to old Mindspring fans. Now that was a great ISP, but Earthlink killed it. Earthlink used to have great service and be a cool, friendly company. Not anymore.

Score: 0

Dec 1 - 9:34 PM ET Alltel breaks in a mobile wallet with mFoundry

Dec 1 - 7:38 PM ET Intel tries to turn the tables on AMD in document discovery dispute

Dec 1 - 6:59 PM ET Palm to restructure yet again, may cut more jobs

Dec 1 - 4:58 PM ET Blockbuster downloads headed for more devices via Live Mesh

Dec 1 - 4:55 PM ET AOL's PlaySavvy speaks to game-shy parental units

Dec 1 - 4:41 PM ET Less bad news than anticipated for the semiconductor industry in 2008

Dec 1 - 3:51 PM ET 'Xohm' makes way for 'Clear,' as Sprint/Clearwire merger moves ahead

Dec 1 - 2:01 PM ET Chasing down the latest Cyber Monday tech deals

Dec 1 - 12:50 PM ET Will 'Cyber Monday' fare better than a weak 'Black Friday?'

Dec 1 - 12:38 PM ET Microsoft Cashback goes offline to Black Friday shoppers