When ISPs Attack!

Here is a scary story about a company, Nebuad (no link juice for you!) that performs a MITM attack all in the name of better ads. Now sniffing to get better data on your customers has been around for a while. In fact I worked at a company that did this as part of our offering. Where NebuAd goes over the line is they manipulate the traffic to get their ad code in the mix.

But Free Press and Public Knowledge found that sometimes when a WOW subscriber visited Yahoo or Google, NebuAd faked an additional packet of data that appears to be the last part of the downloaded Google webpage. The extra packet included NebuAd-written JavaScript that directs users’ browsers to a NebuAd-owned domain named faireagle.com, where the company drops tracking cookies from other domains and companies on the user’s computer. These can be used later to deliver customized ads based off analysis of where people have gone on the web or what search terms they have used.

Cool so not only are they sniffing traffic they are now inject JavaScript and making it appear to originate from Google. This technique is the same one used by the ever popular and super fun Airpwn. Now what would happen if NebuAds servers where compromised? The ultimate JS malware distrubution platform would be born!

Link

Free Dr. Pepper Overloads Site, Exposes Captcha Key

I love Dr. Pepper. So when then announced they where giving it away for free I was all over it.

Sadly though the site was not up to the task and was continually failing in new and wonderful ways. Everything from Service Unavailable to this piece of code poo:

Start ‘, gmdate(”F j, Y, g:i:s a T”, $start_time), ‘
Now ‘, gmdate(”F j, Y, g:i:s a T”, time()), ‘
End ‘, gmdate(”F j, Y, g:i:s a T”, $end_time), ‘
Time From Start ‘, $g_nTimeToStart, ‘ (H:’,$g_nHoursFromStart,’ M:’,$g_nMinutesFromStart,’ S:’,$g_nSecondsFromStart,’)’, ‘
Time Until End ‘, $g_nTimeToEnd, ‘ (H:’,$g_nHoursToEnd,’ M:’,$g_nMinutesToEnd,’ S:’,$g_nSecondsToEnd,’)’, $g_bSwitch? ‘
SWITCH
‘:’
NO SWITCH
‘; exit(); } require_once(’recaptchalib.php’); include “account/process_user.php”; // Get a key from http://recaptcha.net/api/getkey $publickey = “6Lcp6AMAAAAAACdUl5_X5cbuQLzgWMMRHlb3MbwV”; $privatekey = “6Lcp6AMAAAAAAGR1pjoXN2dLHg9sVIKmBR-XXXX”; ?>

Hey cool a private key (I changed it above)! It looks like to goes to ReCaptcha so I hop on over to the ReCaptcha site to find out how bad this is. I found this;

Signing up for a reCAPTCHA Key

In order to use reCAPTCHA, you need a public/private API key pair. This key pair helps to prevent an attack where somebody hosts a reCAPTCHA on their website, collects answers from their visitors and submits the answers to your site. You can sign up for a key on the reCAPTCHA Administration Portal.

So if you where paying attention you can now crack Dr. Peppers ReCaptcha all day long. This is not the end of the world but I am sure some spammer somewhere is already on in and doing something not good.

This is a great example of the type of things missed when you are only looking one piece of the app. sec. problem.  This could have been prevented with an egress filter of some sort or better load a failure testing in QA. It looks like the folks at Dr Pepper are doing neither.

And I never did get my free Dr. Pepper!!