ENTIRE WEB AT RISK: EARTHLINK AND VERIZON ADVERTISING SECURITY REVEALED

Seattle, Wash—October 10, 2008. Dan Kaminsky, Director of Penetration Testing at IOActive, discussed a new Web vulnerability at the Toorcon Security Conference on April 19, 2008. Ad injection systems at major ISPs, including Earthlink and Verizon, were vulnerable to cross-site scripting attacks. These systems mimic the entire Web as part of daily operations; therefore, their vulnerabilities affect everyone's domains. Users at these ISPs were at risk and their sensitive data was jeopardized—credit card numbers, email information, and passwords—which could have caused considerable damage if left untreated.

The behavior stemmed from useless error pages that were replaced with advertising content—a common practice utilized by many ISPs to increase revenue. However, rather than simply injecting non-existing domains, such as "nonexistent.com", these servers also injected non-existent sub-domains like "nonexistent.ioactive.com". The holes Kaminsky found were accessible under every domain on the Internet.

The immediate threat was addressed by working with suppliers of the ad injection technology—Barefruit for Earthlink and PaxFire for Verizon. However, the underlying danger still lurks because some ISPs continue to intentionally falsify records that contain the registered trademarks of companies, organizations, and governments. "The entire security of the Internet for large numbers of users is now dependent on whatever random ad server their ISP deploys. I have no problem with other people's websites being vulnerable, but I would prefer they did not infect ours," Kaminsky said in an interview.

Kaminsky has confirmed three attacks that can be performed using cross-site scripting:

• Arbitrary cookie retrieval: Any web page on the Internet can retrieve all non-HTTP-only cookies from domains.
• Fake site injection: A victim can be directed to "server2www.realsite.com" or "server3.www.realsite.com", which will appear to be the host in the domain. It is likely that phishing attempts from this fake sub-domain will be more successful.
• Full page compromise: A victim can be directed to an actual HTTP site with all login credentials while the attack page can manipulate the target site as if it were the victim. Attackers can prevent an upgrade from HTTP to HTTPS, which can affect shopping carts within web sites.

Kaminsky offered relatively simple solutions to alleviate this threat: ISPs should either temporarily disable their third-party ad injection service or stop services from injecting records into other companies' domains.

Kaminsky commends both Barefruit and Paxfire for their rapid response to the security vulnerability—Barefruit addressed their most visible problem within 30 minutes. However, Kaminsky is still concerned that both companies will continue to generate counterfeit DNA replies; he ultimately worries that other vulnerabilities will, once again, put the entire web at risk.

-###-