NNSquad - Network Neutrality Squad
[ NNSquad ] Re: Liability issues in ISP-injected ad systems?
On Sun, Apr 20, 2008 at 3:07 PM, Brett Glass <nnsquad@brettglass.com> wrote: > It is unclear why this would create any more or different vulnerabilities > than one might expect from any other site which contained third party > advertising. Actually, its quite clear... Because an attacker could inject arbitrary Javascript into the context of the subdomain error page, he could create a page which to the victim's browser is errorfoo.www.targetdomain.com for ANY targetdomain.com of the victim. Since this is running in a subcontext, the attacker is now able to obtain any cookies associated with www.targetdomain.com, and encode them up in a way which the attacker can receive (by issuing requests/redirects to external URLs with encoded data). This makes it effectively a GLOBAL cross-site-scripting attack. Furthermore, since you can inject arbitrary code with redirects, you could effectively harvest a user's login credentials for EVERY site by tricking them into clicking on ONE URL! This is a HUGE vulnerability