IOActive, security research firm reports that Earthlink and several ISPs are using advertising servers to collect revenue on misspelled URLs, but alleges that in so doing, they may have mistakenly exposed users to cross-site scripting.
Dan Kaminsky, the group's director of penetration testing, reported that a bug on Earthlink servers may have allowed hackers to launch phishing attacks through the third-party Barefruit service used by several ISPs. Barefruit is a service whose stated purpose is to help ISPs catch DNS errors and redirect users appropriately. However, ISPs took advantage of that redirection by building error-catching pages that included paid advertisements. Earthlink was caught using Barefruit for this purpose in 2006.
Earthlink and Barefruit announced a patch to the bug found by Kaminsky, though they chose not to discuss other security issues related to Earthlink's method of covert advertising. Earthlink said it will continue to use Barefruit in the future, but warned it will closely watch the system moving forward. It is possible there are similar vulnerabilities that put Internet users at risk when heading to mistyped URLs, even though ISPs are now aware of the problem.
ISP, Vulnerability, Scripting, Online Advertising, Online Ads