Saturday, February 28, 2009

Airtel Injecting Ads into User's Browsers

Most businesses have one aim, maximize profits. However, while doing so there must be a balance between risk management, customer security and most importantly - FAIR-PLAY.

Indian ISP and mobile communications provider Airtel seems to have forgotten this exact rule. For almost a week now, Airtel has been "hi-jacking" user's HTTP requests and injecting them with full-page ads of their own DTH service (Screenshot).

To add even further security risk to this mess, I am fairly certain that the page used to display Advertisements is vulnerable to a Cross-Site Scripting attack. This means that an attacker can steal the cookies of an Airtel user even if the web-site in question has no obvious flaws.

Besides for the obvious risks faced by the XSS flaw, there is also the matter of how they handle:
  • SSL connections.
  • Client-side certificates.
  • Sensitive user data sent via web-forms only to be interrupted by Airtel ads.
  • Users carrying out Banking or other sensitive activities which when interrupted can result in multiple payments being processed.
  • and most importantly, what guarantee is Airtel providing in-regards to user requests and information being maliciously redirected and stored on the Airtel ad-server.
Also, what about the fact that they are further affecting web-publishers advertising revenues by placing ads on content they did not write or develop. This is an extremely grim move on the part of Airtel and I sincerely hope that no-other ISPs continue in its footsteps.

Airtel may have made a few extra bucks from these ads, but I for one will never be using an Airtel service as far as I can help it.


vijay said...

Thank you provide valuable informations and iam seacrching same information Ethical Hacking Courses