Intology – Intelligent Technology News
Computers Technology Internet Arts Business Science Sports

When you make a typo in a domain name, many ISPs re-direct you to a page with sponsored links. It’s a way for the ISP to make a little extra cash from your mistake, and it had been considered relatively harmless. However, a security researcher has found a way to exploit the arrangement, and it could create an opening for malicious attacks.

Internet service providers that serve advertising when a user requests a Web page that doesn’t exist are exposing their users to a giant security breach, according to security researcher Dan Kaminsky. The vulnerability resulting from the practice, which is an increasingly common way for ISPs to make money from users’ typos, was identified last week on Earthlink by Kaminsky, who is director of penetration testing for security firm IOActive.

Kaminsky presented his findings at the Toorcon hacker Latest News about hacker conference on Saturday.

The vulnerability resulting from the practice, which is an increasingly common way for ISPs to make money from users’ typos, was identified last week on Earthlink by Kaminsky, who is director of penetration testing for security firm IOActive.

Kaminsky presented his findings at the Toorcon hacker Latest News about hacker conference on Saturday.

Subdomain Trickery

The problem Kaminsky found was a slightly finer twist on a controversial practice that has been around for a few years already. It’s not new for ISPs to serve ads when a user mistypes a URL and ends up inputting one that doesn’t exist.

In that case, Earthlink, for example, goes to the server at Barefruit, its London-based ad partner, instead. At that point the user is given a list of suggestions for what the desired site might have been, as well as a Yahoo search box and some ads. Earthlink began the practice in 2006, and explains it in a blog post from August of that year.

What is relatively new, however, is for those ad pages to get served when a user requests a nonexistent subdomain of a legitimate Web site, such as “wrongsubdomain.rightdomain.com.”

In that case the Barefruit ads once again appear in the browser, but now the title bar suggests that the page is part of the official domain requested.

Weakest Link

Earthlink argues that its general ad-serving process helps users: “By presenting users with contextual help based upon the non-existent domain the user entered, we believe we are improving the EarthLink user experience with a system that will not interfere with other network processes,” it said.

According to Kaminsky, however, the result now is that the subdomain is only as secure as Barefruit’s servers — which he found were not too secure at all. He actually demonstrated that he could insert a YouTube video into the Facebook and PayPal domains, for example.

Of course, that was a demonstration; the real threat is what a malicious hacker could insert instead, such as code to steal user passwords.