None dare call it cracking

Researcher: NebuAd forges Google data packets | The Register

“There was an extra 133 bytes of JavaScript code being added to web pages being sent,” Topolski tells us. “It was being sent in a separate packet, and even though it wasn’t coming from Google, it was identified as being from”

That bit of JavaScript code, Topolski continued, instructed the browser to load additional script from the domain FairEagle is a subsidiary of NebuAd, and one of the cookies that turned up on Topolski’s browser was tagged with that same domain.

In his report, Topolski compares this trick to several common hacking techniques, including a browser hijack, a cross-site scripting attack, and a man-in-the-middle attack. “NebuAd exploits normal browser and security behaviors by forging IP packets, allowing their own JavaScript code to be written into source code trusted by the web browser,” he writes. “NebuAd and ISPs together cooperate in this attack against the intentions of the consumers, the designers of their software and the owners of the servers that they visit.”

Google confirms that the extra cookies and the extra packets are not coming from its site. “The sections in [Robb Topolski’s] report that talks about Google are accurate,” says company spokesman Michael Kirkland. “We’re obviously aware of this issue and are looking into it.”

Forging packets as coming from a (somewhat) trusted source and using it to load your own code into the browser? If any hacking group were doing it, the feds would be working to roll them up. But gosh, if there’s a contract with an ISP, there’s probably a clause in your terms of service that requires to to let yourself be pwned (unless it’s by someone the ISP doesn’t approve of, in which case you’ll be thrown off their network instead). Oh, and if it turns out there’s no such clause, that would mean your ISP could be engaged in a conspiracy to violate antihacking statutes for profit. Whee.


2 Responses to “None dare call it cracking”

  1. Robb Topolski Says:

    I’d never call it “hacking,” because I know what that honorable activity is. What NebuAd pulls really is more akin to cracking — cracking an app instead of a network system, but cracking none-the-less. But I’d only confuse most people by saying that — it seems like nobody knows what that word means any more.

    Robb Topolski
    (the guy mentioned above)

  2. olderdog Says:

    They never really did. Even when Steve Levy’s book was a best-seller, maybe a few percent of the population knew the difference. But I like the distinction you make because this technique is almost precisely Mitnick’s TCP-hijacking attack in intent (albeit on a different layer and with a less-well-secured protocol and spanning a different kind of dynamic extent; OK, maybe it’s not really like Mitnick’s attack at all except for being man-in-the-middle).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: