Error pages “leave entire web open to hackers”
A British company that attempts to make money from mistyped web address is compromising the security of the internet’s biggest companies, according to a security researcher.
The problem stems from ISPs who employ the British firm Barefruit to intercept traffic from non-existent domains, where the user has typed a web address that doesn’t exist.
Instead of returning a normal error message page, Barefruit provides a list of suggestions for the site the reader may have intended to visit, as well as a series of ads.
The potential security flaw arises when the user mistypes a subdomain of a well-known website – such as webmale.google.com instead of webmail.google.com. In this instance, according to a report on renowned technology site Wired.com, the Barefruit content appears in the browser window while the title bar continues to suggest it’s an official Google site.
Barefruit was unavailable for comment at the time of publication, but the company told Wired. “Barefruit endeavors to ensure online security while providing an improved internet user interface by replacing unhelpful and confusing error messages with alternatives relevant to what the user was seeking.”