Threat Center Security News ISPs Affected By New XSS Attack
ISPs Affected By New XSS Attack Print E-mail
Written by Rebecca Mints   
Thursday, 24 April 2008 18:00

According to IOActive, a security research firm, some ISPs may be leaving their users open to cross-site scripting attacks. The problem lies in the fact that some ISPs, such as Earthlink, are collecting revenue from misspelled URLs by utilizing advertising servers. This has resulted in hackers performing phishing attacks on unsuspecting users.

IOActive's director of penetration testing Dan Kaminsky said that a flaw in Earthlink's servers is the culprit that allows for the phishing attacks. The attacks are launched through a third-party Barefoot service, which is utilized by several ISPs. Barefoot was originally designed to redirect users to their intended sites when they make a common misspelling. What some ISPs started to do was construct error-catching pages that would host paid advertisements. In 2006 Earthlink was caught using Barefoot in this fashion.

At the Toorcon security conference in Seattle, WA, Kaminsky described the provider-in-the middle (PiTMA) attacks while demonstrating the exploitation of the bug. He was able to steal authentication cookies, create fake subdomains, and log into other users' account using stolen passwords by inserting his own JavaScript. He also pwned Facebook, PayPal, Fox News and Toorcon by adding the Rick Astley music video to their sites.

While neither Earthlink nor Barefoot wanted to discuss general security issues regarding their sneaky means of advertising they did comment that a patch to the bug discovered by Kaminsky will be forthcoming. Earthlink also stated that they will keep using Barefoot's services but they will also keep a more watchful eye on the system they have in place with them. Earthlink may not be the only ISP that is having these problems, putting many, many web surfers at risk when they misspell a URL.

Cross-site scripting vulnerability may affect Earthlink, other ISPs


WTW Threat Level