Home : Networking : News

UK typo business compromises web security

A security researcher has claimed that Barefruit's system could cause trouble for online companies and their customers.

By Barry Collins, 21 Apr 2008 at 11:37

A UK-based firm which tries to make money off of web address typos could be compromising security of the biggest companies online, a security research has said.

The problem stems from ISPs who employ the British firm Barefruit to intercept traffic from non-existent domains, where the user has typed a web address that doesn't exist.

Instead of returning a normal error message page, Barefruit provides a list of suggestions for the site the reader may have intended to visit, as well as a series of ads.

The potential security flaw arises when the user mistypes a subdomain of a well-known website - such as webmale.google.com instead of webmail.google.com. In this instance, according to a report on Wired.com, the Barefruit content appears in the browser window while the title bar continues to suggest it's an official Google site.

IOActive security researcher Dan Kaminsky claimed Barefruit's servers were vulnerable to a JavaScript attack that made it possible to serve up any links the attacker wanted, whilst still having the appearance of an official site. Such attacks could be used to fool people into divulging personal data to fake PayPal sites or Facebook accounts, for example.

Barefruit fixed the Javascript flaw last week, but Kaminsky said the underlying problem remains. "The entire security of the internet is now dependent on some random ad server run by some British company," Kaminsky told Wired.

Barefruit was unavailable for comment at the time of publication, but the company told Wired: "Barefruit endeavors to ensure online security while providing an improved internet user interface by replacing unhelpful and confusing error messages with alternatives relevant to what the user was seeking."