Error pages “leave entire web open to hackers”

Barry Collins Read more October 7, 2009

A British company that attempts to make money from mistyped web address is compromising the security of the internet’s biggest companies, according to a security researcher.

The problem stems from ISPs who employ the British firm Barefruit to intercept traffic from non-existent domains, where the user has typed a web address that doesn’t exist.

Instead of returning a normal error message page, Barefruit provides a list of suggestions for the site the reader may have intended to visit, as well as a series of ads.

The potential security flaw arises when the user mistypes a subdomain of a well-known website – such as webmale.google.com instead of webmail.google.com. In this instance, according to a report on renowned technology site Wired.com, the Barefruit content appears in the browser window while the title bar continues to suggest it’s an official Google site.

IOActive security researcher, Dan Kaminsky, claims Barefruit’s servers were vulnerable to a JavaScript attack that made it possible to serve up any links the attacker wanted, whilst still having the appearance of an official site. Such attacks could be used to fool people into divulging personal data to fake PayPal sites or Facebook accounts, for example.

Barefruit fixed the Javascript flaw last week, but Kaminsky claims the underlying problem remains. “The entire security of the internet is now dependent on some random ad server run by some British company,” Kaminsky told Wired.

Barefruit was unavailable for comment at the time of publication, but the company told Wired. “Barefruit endeavors to ensure online security while providing an improved internet user interface by replacing unhelpful and confusing error messages with alternatives relevant to what the user was seeking.”