Saturday, February 28, 2009

Airtel Injecting Ads into User's Browsers

Most businesses have one aim, maximize profits. However, while doing so there must be a balance between risk management, customer security and most importantly - FAIR-PLAY.

Indian ISP and mobile communications provider Airtel seems to have forgotten this exact rule. For almost a week now, Airtel has been "hi-jacking" user's HTTP requests and injecting them with full-page ads of their own DTH service (Screenshot).

To add even further security risk to this mess, I am fairly certain that the page used to display Advertisements is vulnerable to a Cross-Site Scripting attack. This means that an attacker can steal the cookies of an Airtel user even if the web-site in question has no obvious flaws.

Besides for the obvious risks faced by the XSS flaw, there is also the matter of how they handle:
  • SSL connections.
  • Client-side certificates.
  • Sensitive user data sent via web-forms only to be interrupted by Airtel ads.
  • Users carrying out Banking or other sensitive activities which when interrupted can result in multiple payments being processed.
  • and most importantly, what guarantee is Airtel providing in-regards to user requests and information being maliciously redirected and stored on the Airtel ad-server.
Also, what about the fact that they are further affecting web-publishers advertising revenues by placing ads on content they did not write or develop. This is an extremely grim move on the part of Airtel and I sincerely hope that no-other ISPs continue in its footsteps.

Airtel may have made a few extra bucks from these ads, but I for one will never be using an Airtel service as far as I can help it.

Wednesday, February 25, 2009

Indian Information Security Incidents Gallery

I was recently on the phone with Dinesh O'Bareja and he mentioned a blog he started sometime back to document Indian Information Security Incidents. I think its a great initiative on his part and one that we definitely require in the Indian IT Security space.

As anyone who has been involved in the Indian IT industry can tell you, for most organizations security is always a low priority. One of the reasons for this is the lack of corporate liability for the loss of customer data.

Most companies that are faced with a breach use the hush-hush approach and sweep the incident under the rug. This causes consumers who have had their personal information compromised to be left in the dark until their next statement shows up with fraudulent transactions.

In other countries, there are Security Breach Notifications Laws in place to ensure that the consumer is well informed and the responsible company either compensates the victim or subscribes them to an identity monitoring service.

Coming back to the India InfoSec: Incidents Hall of Shame / Fame Gallery Blog, I think Dinesh has definitely taken the right step. Only when we have more attention given to Security Incidents will we see companies dealing with them in a more responsible/liable manner.

So if anyone out there has witnessed any security incidents, go ahead drop Dinesh an e-mail.