IT-Networks: Third-Party Ad Serving Compromises Internet Security Third-Party Ad Serving Compromises Internet Security ================================================================================ Alex on 25 April, 2008 06:44:00 Third-party Internet advertisements on unused Web pages can often create security vulnerabilities outside the control of Internet service providers, according to research presented at a security conference last weekend. Dan Kaminsky, director of penetration testing for Seattle-based computer security consultant IOActive Inc., described the problem. For example, he explained, if someone mistypes the name of a Web site into their browser, often times instead of getting an error message they will be directed to a Web site displaying a wall of advertisements. A portion of those profits then go back to the Internet provider. However, harm can result when hackers break into the server hosting the ads. In such a case, the hackers can inject code onto the pages or alter the pages in such a way as to trick the user into providing personal information. "The security of the Web for these ISPs is limited to the security of these random ad servers," Kaminsky said in an interview with the Associated Press. Kaminsky's presentation focused on the "dead trivial vulnerability" he discovered on servers used by U.K.-based Barefruit to serve ads for Internet service provider Earthlink Inc. The so-called "cross-site scripting" vulnerability meant Kaminsky was able to place his own code and content on pages served by Barefruit. Barefruit CEO Dave Roberts said the company corrected the vulnerability within 30 minutes after Kaminsky told the company about it, adding that it could be exploited only in "incredibly unlikely circumstances" . Kevin Brand, senior vice president for access products for Earthlink, said no users were affected, and that the company allows its customers to opt out of seeing ads on unused Web pages. However, opting out requires users to alter their computer settings. "We're not trying to hold any of our customers hostage by any means," he said. "We're just trying to improve their experience." Other security experts said Kaminsky's presentation demonstrates that companies that serve ads on unused Web pages must take steps to secure their servers. "We knew that using DNS as an advertising magnet was a bad idea, but we didn't have a smoking gun that everybody in the world could understand - until now," Paul Vixie, president of the Internet Systems Consortium, told the Associated Press. "Dan's findings show that anyone showing an ad for a nearby domain to one the Web browser thought it was talking to, has liability for anything their Web ad server does," Vixie said. Kaminsky said it's not merely obvious typos that can cause problems. In fact, he said, many obvious typos are not a problem because popular Web sites purchase similar names that people often erroneously type. For example, if someone types in ' , ' they will be redirected to the real Google web site. Instead, Kaminsky said the bigger problem arises from erroneous subdomains, which might happen if a user types in too many or not enough “w’s” in a Web site’s address. Such a mistake would allow a hacker to make a compromised Web site look authentic. Kaminsky cited the example of ' server2., ' which isn't controlled by MySpace but could seem like it is to an unsuspecting Web surfer or even a browser. Kaminsky used examples from numerous Web sites, such as Amazon.com, eBay, Google and MySpace. The sites themselves didn't have vulnerabilities, but because of way Web browsers and the Domain Name System (DNS) operate, compromised pages served up by Barefruit's servers were "trusted" by the real sites and able to freely communicate freely with one other. This allowed Kaminsky to steal "cookies" that stored login information for real sites, and create "phishing" pages that were able to trick people into providing sensitive personal information. Kaminsky said many large ISPs were investigating hiring third party ad serving companies for their unused pages, something that could drive the potential for widespread infections. Source: Red Orbit