Indian ISP and mobile communications provider Airtel seems to have forgotten this exact rule. For almost a week now, Airtel has been "hi-jacking" user's HTTP requests and injecting them with full-page ads of their own DTH service (Screenshot).
To add even further security risk to this mess, I am fairly certain that the page used to display Advertisements is vulnerable to a Cross-Site Scripting attack. This means that an attacker can steal the cookies of an Airtel user even if the web-site in question has no obvious flaws.
Besides for the obvious risks faced by the XSS flaw, there is also the matter of how they handle:
- SSL connections.
- Client-side certificates.
- Sensitive user data sent via web-forms only to be interrupted by Airtel ads.
- Users carrying out Banking or other sensitive activities which when interrupted can result in multiple payments being processed.
- and most importantly, what guarantee is Airtel providing in-regards to user requests and information being maliciously redirected and stored on the Airtel ad-server.
Airtel may have made a few extra bucks from these ads, but I for one will never be using an Airtel service as far as I can help it.
1 comments:
Thank you provide valuable informations and iam seacrching same information Ethical Hacking Courses
Post a Comment