Tuesday, April 22, 2008

Major ISPs Injecting Ads, Vulnerabilities Into Web

In attempting to treat the website traffic on their networks as legal tender, several major internet service providers may be unintentionally exposing their customers to greater risk of online attacks from identity thieves, says the Washington Post.

The practice of serving ad-filled pages when customers unwittingly request a subdomain of a web site that does not exist potentially introduces security threats when the ISP has outsourced the ad-serving process to a third party.

These findings come from IOActive security researcher Dan Kaminsky who found that advertising servers are impersonating hostnames within trademarked domains.
'We have determined that these injected servers are, in fact, vulnerable to cross-site scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites,' Kaminsky said, identifying EarthLink, Verizon and Qwest among the ISPs."
See Slashdot for more information.