Major ISPs Injecting Ads, Vulnerabilities Into Web
Rebecca Bug writes "Several Web sites (Wired, eWEEK, The Washington Post) are reporting on Dan Kaminsky's Toorcon discussion of a serious security risk introduced when major ISPs serve ads on error pages. Kaminsky found that the advertising servers are impersonating, via DNS, hostnames within trademarked domains. 'We have determined that these injected servers are, in fact, vulnerable to cross-site scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites,' Kaminsky said, identifying EarthLink, Verizon and Qwest among the ISPs."
I can see doing this for nonexistant domains, but doing it for sub-domains is treading on very thin ice. When someone registers a domain they've been entitled to control over all the sub-domains and serving ads on their domain like this could very easily be argued as a major break of trademark law. It was a seriously braindead decision as suddenly it's no longer a victimless crime, and the victims may have the money to afford lawyers in this case.