Major ISPs Injecting Ads, Vulnerabilities Into Web

Rebecca Bug writes "Several Web sites (Wired, eWEEK, The Washington Post) are reporting on Dan Kaminsky's Toorcon discussion of a serious security risk introduced when major ISPs serve ads on error pages. Kaminsky found that the advertising servers are impersonating, via DNS, hostnames within trademarked domains. 'We have determined that these injected servers are, in fact, vulnerable to cross-site scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites,' Kaminsky said, identifying EarthLink, Verizon and Qwest among the ISPs."

I first read it as...

[doublee3]

I first read it as "Major ISPs Injecting Aids", but then found I wasn't very far off.

Re:I first read it as...

[ohtani]

You took the words right out of my mouth there. "Aids? What?" *click* "Oh, Ads... Wait no, they meant Aids"

Re:Trademarked[tm](r)(c) Domains ?

[Kjella]

Well, I'd say it's domains you can lay claim to by trademark, there's been cases where domain squatters have been forced to turn over domain names. That's generally been when the company has a unique name (i.e. not like apple) that the squatter is basicly just blocking. In any case, I guess the point was just "big, important sides are being faked".

its easy as...

forgetting the whole http protocol forever and dusting off the good old Gopher, I bet no ISP has any idea on howto inject into THAT :)

Re:This is NOT new

[ohtani]

Wow nice that URL above set off my avast scanner. Redirects to nimp.org

Verizon

[FlyByPC]

Verizon's DSL service, at least in Philadelphia, redirects DNS lookup failures by default. I found this out after mistyping some URL or other. Looking into it, they do have a way to opt out of this "service" -- although if you're not at least reasonably competent with making TCP/IP configuration changes on a home router, don't bother; it involves looking up and modifying IP addresses. Not a big deal to most /.ers, I'd say, but a nightmare for the general public.

Perhaps if there's enough coordinated consumer demand, we could create a market for a certified "standard Internet connection" -- which gives a public IP (static or DHCP) and unfiltered, unadulterated 'Net access -- no port blocking, no bandwidth throttling, no DHCP redirects, no PPPoE or other strange "install-this-software-to-connect-to-the-Internet" schemes. Just gimme a basic 'Net feed terminating in an Ethernet port, thankyouverymuch.

Also, apparently I have yet to "decide" whether I want to choose MSN, AOL, or Yahoo for my "Internet Experience." Such a decision might well take me a while, Verizon...

Re:Verizon

[Nushio]

No way to complain? How about leaving Verizon?

I don't know how it works there (there being USA, and Verizon, specifically), but once I wanted to leave my old Internet Cable Company, they asked me to fill in a list of reasons for leaving.

I'm sure that if enough people leave for the same reason, someone will wake up and notice. And if they don't? Well, its lost revenue.

Money is the only language companies understand.

Only mildly illegal.

[davolfman]

I can see doing this for nonexistant domains, but doing it for sub-domains is treading on very thin ice. When someone registers a domain they've been entitled to control over all the sub-domains and serving ads on their domain like this could very easily be argued as a major break of trademark law. It was a seriously braindead decision as suddenly it's no longer a victimless crime, and the victims may have the money to afford lawyers in this case.

Re:Only mildly illegal.

[Effugas]

I think it's an accident. It's actually tricky to differentiate nonexistent subdomains vs. unregistered domains; what's on the wire is the same, it's just which name server tells you something. See www.publicsuffix.org to see how hard this problem is.

I'm pretty optimistic that, now that the issue's been identified, everyone will stop violating trademarks.

--Dan

Re:Only mildly illegal.

[jchawk]

I'm not defending ad injection or DNS redirection by any means.

However if you are on one of these providers and they are hijacking miss typed sub domain traffic you can regain control by using a wild card DNS entry for your domain and handle this with a properly configured web server. I know Apache has supported this for some time now.

Re:Only mildly illegal.

[crispin_bollocks]

It could get really touchy if they're serving targeted ads. It's one thing if I type my company's name into a Google search and get served competitors' ads, but if an existing or potential customer tries to visit my site, mustypes, and ends up with an ad for the competition, I'd go ballistic. It would seem a pretty open and shut violation of my brand name and good reputation.

Re:Only mildly illegal.

[ScrewMaster]

I can see doing this for nonexistant domains

I can't. That's exactly what Verisign tried doing a few years ago, and got bitchslapped for because it breaks things. Not every piece of equipment that connects to the Internet and uses the Domain Name System is a Web browser, you know, and many of those systems expect a failed resolution attempt to return the proper error codes. These corporate bastards should be required to honor the basic Internet standards that exist, and which millions upon millions of networked machines depend upon for proper operation. Failure to do so should involve hundreds of millions of dollars in penalties and lost tax breaks, because their arrogance costs everyone else at least that much when they pull stunts like this.

Bloodsucking leeches, all of them. These jerks are just asking for some heavy-handed regulation to be applied to them: if they don't want to be forced into being common carriers, they'd damn well better act responsibly. Contrary to what these idiots may think, the Internet is not a private profit-making engine built exclusively for their use. It's reached the point of being a public utility, as important to our well-being as clean water. Sure, maybe as individuals we can live without our personal Internet connection: the supply chain which provides us with vital goods and services cannot.

Re:Only mildly illegal.

[billcopc]

I would love to see that open and shut case take down a big ISP. There needs to be a very real threat to these unchecked profiteers. We have enough ads on the net already, typo traffic is complete bullshit!

Re:Only mildly illegal.

[ScrewMaster]

Forced into being common carriers? They're fighting tooth and nail to keep their common carrier status.

You are incorrect. That battle was fought years ago and they won it: even the Telcos, which do fall under that regulation only count as common carriers for their voice services. Data services received an exemption and are consequently not subject to the universal coverage and quality-of-service standards to which phone companies must adhere.

Re:Only mildly illegal.

[shmert]

I use Earthlink as ISP and phone service (note: I would not recommend this to any sane person who doesn't enjoy long phone conversations with tech support types).

I assumed that the error pages at least had a 404 error code, but nope, they return a 200, with their own "helpful" content.

Look at this crap:

[twonky:~] sbarnum% curl -v "http://zzzslashdot.org"
* About to connect() to zzzslashdot.org port 80 (#0)
*   Trying 209.86.66.95... connected
* Connected to zzzslashdot.org (209.86.66.95) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.16.3 (powerpc-apple-darwin8.0) libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3
> Host: zzzslashdot.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 20 Apr 2008 05:13:54 GMT
< Server: Apache
< Content-Length: 774
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<noscript>
<meta http-equiv="refresh" content="0;http://earthlink-help.com/main?AddInType=Bdns&Version=1.3.1el&FailureMode=1&ParticipantID=xj6e3468k634hy3945zg3zkhfn7zfgf6&ClientLocation=us&FailedURI=http%3A%2F%2Fzzzslashdot.org%2F"/>
</noscript>
<script type="text/javascript">
window.location.replace("http://earthlink-help.com/main?AddInType=Bdns&Version=1.3.1el&FailureMode=1&ParticipantID=xj6e3468k634hy3945zg3zkhfn7zfgf6&ClientLocation=us&FailedURI=http%3A%2F%2Fzzzslashdot.org%2F");
</script>
</head>
<body>
</body>
</html>
* Closing connection #0
</pre>

More Data

[Effugas]

This is Dan -- glad you're all enjoying!

There's more data here:

http://www.doxpara.com/DMK_Neut_toor.ppt

And this is what I sent (many, many) affected sites:

IOActive Security Pre-advisory: Non-Neutral Major ISP Behavior Injecting Security Vulnerabilities Into Entire Web
Dan Kaminsky, Director of Penetration Testing, IOActive Inc.
Jason Larsen, Senior Security Researcher, IOActive Inc.

Executive Summary: A number of major broadband ISP's have deployed advertising servers that impersonate, via DNS, hostnames within your trademarked domain. We have determined that these injected servers are, in fact, vulnerable to Cross-Site Scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites. Due to recent activity by Network Solutions, we believe this vulnerability will be discovered shortly, and we will thus be unveiling this matter on Saturday, April 19th, at the Seattle Toorcon security conference. We believe that the security hole is reasonably straightforward to fix, either by temporarily disabling the advertising server, or by resolving the error condition that allows Cross-Site Scripting. We are contacting the affected ISP's to address at least the security issue in play. The fundamental trademark violation issue is outside our scope, however, we encourage you to pay close attention to this case, as the fundamental design of these advertising systems requires direct impersonation of your protected marks.

Details: We would prefer to keep the names and mechanisms required for this vulnerability under wraps, at least for the next few days, while the ISP's in question manage and mitigate the security implications of this behavior. We can confirm the following attacks have been verified to work against your site, via this XSS vulnerability:

A) Arbitrary cookie retrieval. Any web page on the Internet can retrieve all non-HTTP-only cookies from your domains.
B) Fake site injection. A victim can be directed to "server2.www.realsite.com" or "server3.www.realsite.com", which will appear to be a host in your domain. We believe any phishing attempts from this perfect-address spoofed subdomain are more likely to be successful.
C) Full page compromise. A victim can be directed to your actual HTTP site, with all logged in credentials, and our attack page will still be able to fully manipulate the target site as if we ourselves were the victim. Note, while we cannot attack HTTPS resources, we can prevent upgrade from HTTP to HTTPS. This may affect any shopping carts within your sites.

We believe this behavior is illustrative of the risks of violating Network Neutrality. Indeed, it is our sense that the HTTP web becomes insecurable if man-in-the-middle attacks are monetized by providers -- if we don't know what bits are going to reach the client, how can we control for flaws in those bits?

We do not believe the vulnerability is intentional, only the injection. We were partially involved in the discovery of the Sony Rootkit some time ago; we recognize this pattern. That case resolved itself reasonably, and we are hopeful this one can be managed well as well. If your technical, press, or legal staff has any comments on this matter, please feel free to contact us at dan.kaminsky@ioactive.com. This is a matter that strikes at the core of the viability of HTTP as a medium for business, and we are committed to defending this medium for your operations. Thank you!

Yours Truly,

      Dan Kaminsky
      Jason Larsen

fix?

[pavera]

Couldn't a company "fix" this by setting up wild card dns so that any "mistyped" url will still get resolved by DNS, thus making this particular attack/injection by the ISPs impossible?

Also, the company could display ads, or some other thing on THEIR DOMAIN, instead of letting the ISPs do this?

Would this be horribly wrong if the companies themselves (ebay, paypal, etc) were displaying ad pages for subdomains?

Re:fix?

[Effugas]

If the attacker (the ISP!) is willing to replace NXDOMAIN, why not replace any name that isn't www? Or any name that returns a fixed 302? The precedent must be set.

Hit it with the Copyright Stick

[heretic108]

This is one of those times when copyright has a profound moral benefit.

Any site owners who don't want ads injected into their pages can place a copyright notice in small print at the bottom of each page, saying something like:

Copyright is hereby granted to Internet Service Providers to deliver the content of this page verbatim as served by the HTTP server hosting this website. Any alteration to the content of this page is a breach of copyright which will incur legal action.

It would take just a few site owners to add these notices and get injunctions served against any ISPs indulging in page-tampering, for ISPs to give up on the whole deal.

Re:Hit it with the Copyright Stick

[LordLucless]

This would accomplish absolutely nothing. They're not inserting ads into existing pages. What they're doing is returning their own pages from domains that don't exist. So, for instance, if you went to "http://www.salsdot.org/" (a non-existant domain), you would get an advert page instead of the standard error page.

The current problem with this is that a lot of security assumptions are tied to domains. So for instance, if you run a site called "blahblah.com", and an ISP hijacks the non-existant domain "bleh.blahblah.com", certain actions that are only permissable for interactions on the same domain will suddenly become available. That is, an insecure hijacked page provide an attack vector to your own site.

The ultimate problem with this (as the above is a fairly simple problem to fix) is that the ISP is leveraging the domain of a someone who has purchased an exclusive right to that domain. In addition, some domains are also trademarks, in which case they're violating trademark law. But at no stage are they violating copyright law, or modifying the original content, so that disclaimer you recommend wouldn't apply.

Re:Hit it with the Copyright Stick

[Guido+von+Guido]

I've been getting these damn DNS redirects for some domains that do exist. Let's say that I want to open a well-known site, such as www.slashdot.org. If the DNS response times out, then I get one of those domain parking sites.

I know I'm not mistyping the domain name, because if I wait a bit and reload the browser window, then it comes up fine.

Frankly, this happens way more than it should. The default config Rogers left my router with apparently has the router acting as a forwarding name server. In turn it apparently has only one nameserver. OpenDNS has started sounding a lot better.

PARENT POST LINKS TO MALWARE

[spazdor]

do not click.

Even better.

[DaedalusHKX]

Actually, the copyright owners of said domain CAN, and SHOULD demand ALL revenues that the ISP derived off of the serving of said ad pages, and any other related income they received as a result of said copyright violations.

I keep saying, this is like the NAFTA and WTO, they can be tools for the masses or for the masters, but so far, only the so called "masters" have used them. Peons will be peons.

Oops...

[DaedalusHKX]

Oops, did I forget to mention?

By hijacking the website, ANY possible damage that is incurred by the person visiting the website, that could not have occurred from said website, can and should be used to hold the injecting ISP's liable for "fraud", "wire fraud", "internet fraud", "conspiracy to commit fraud", "electronic fraud" along with any "accessory to fraud" charges that can be used. It isn't double jeopardy if they are tried for criminal trespass to chattel, though that might take someone with more knowledge of common law copyrights than I have. So hit them for criminal charges, and then sue them for damages.

One big ISP getting put out of business would teach the rest a pretty important lesson. "Stop fucking with Joe, he fucked back without even needing a lawyer. Joe's not very nice to assholes who impersonate him and put his customers at risk."

Re:This article just reminded me....

[Nullav]

You realize OpenDNS also throws up ads when you mistype a URL, right? That includes subdomains, by the way.

The Cross-site Scripting FAQ

[mrkitty]

http://www.cgisecurity.com/articles/xss-faq.shtml

Re:This is NOT new

[CSMatt]

Hmmm. I've seen a lot of these troll redirects recently. Is there a way that Slash can display the domain that the link is redirecting to instead of the domain of the link itself? So far all of these links have the redirected domain somewhere in the URL, which is how I've been able to avoid them.

Re:brought to you

[PReDiToR]

Duped? I feel duped, but not in that way.

I have been trying to get an article about Phorm onto the front page for ages.
Maybe I should have tried this angle.

How about a compromised adserver on the Phorm network?
Every BT, Virgin and Carphone Warehouse customer would have malware foisted upon them by their ISP.

News for American nerds, maybe. UK nerds might like to know about things like this without having to check the Phorm files at El Reg.