HomeBlogsMacRonin's blog

NebuAd Forges Net Packets to Drop Cookies on Users, Report Says

June 18, 2008 - 10:31pm — MacRonin

NebuAd Forges Net Packets to Drop Cookies on Users, Report Says - Via Threat Level:

An online advertising firm called NebuAd that pays ISPs to let it eavesdrop on web users doesn't just passively record traffic, but actively injects fake packets into responses from other websites in order to deliver cookies to ISP users in clear violation of accepted internet protocols, according to a technical report released by the advocacy group FreePress on Wednesday.

The report from the open net advocacy group describes the system as a "browser hijack," comparing it to two classic hacker attacks.

NebuAd first drew widespread attention after Charter Communications, the nation's fourth largest ISP, announced it would try out the company's technology, promising that users would love having more targeted ads served to them. That announcement brought unwanted media and Congressional attention to NebuAd, which had already installed monitoring boxes inside the network of at least one smaller ISP, WoW.

NebuAd's boxes eavesdrop on web browsing and searches by peering deeply into internet packets to pull out URLs and search terms in order to classify each user's interests. That profile is then used deliver tailored ads on various partner websites.

Additionally, FreePress found that sometimes when a WoW subscriber visited Yahoo! or Google, NebuAd faked an additional packet of data that appears to be the last part of the downloaded Google web page. Instead, the extra packet inserted NebuAd written JavaScript into the fake Google homepage packet. That script directs user's browsers to a NebuAd-owned domain named faireagle.com, where NebuAd drops tracking cookies from other domains and companies on the user's computer. These can be used later to deliver customized ads based-off analysis of where people have gone on the web or what search terms they have used.

The report (.pdf) was written by Robb Topolski, an engineer who started consulting for FreePress after gaining fame by detecting Comcast's forgery of P2P traffic early last year. He testified about the ongoing packet forgery by Comcast at a Federal Communications Commission hearing at Stanford in April.

"NebuAd and ISPs together cooperate in this attack against the intentions of the consumers, the designers of their software and the owners of the servers that they visit," he writes.

Topolski compares the behavior of NebuAd to that of two common hacking attacks: cross-site scripting and Man-in-the-Middle attacks. In the former, a hacker finds a way to have his own malicious javascript be executed on a page he does not own. In the latter, an attacker wanted to steal passwords or listen to a conversation, gets access to traffic running between two parties and records it or even distorts a communication for his own benefit.

He also argues that NebuAd is violating core Internet protocols, which stipulate that packets originate from devices at the edge, while devices in the middle are supposed to route the packets, not modify or initiate them.

NebuAd has been been unwilling to talk about how its technology and opt-out process works, how long it stores data, whether users can see or delete their profiles or even whether anyone at the company has any relevant privacy policy experience. The company's only publicly available patent application is for a system that forges packets and replaces a website's banner ads with its own as the data flows from a website to a user's computer. But the company says it is not replacing other sites' ads and claims to have filed for a patent for its complicated opt-out system, though it is not findable via patent searches and the company has declined to send THREAT LEVEL a copy of the application.

NebuAd did not respond to a request for comment or clarification of the report's findings by deadline.

FreePress's report raises further interesting questions about the legality of the system, including whether the company could run afoul of trademark law by making a site like Google look as if it is installing many tracking cookies on a user's computer.

Charter has not yet begun the trials it announced for four cities in the U.S., but plans to very soon, according to a spokeswoman. Company executives also met with Congressman Ed Markey (D-Massachusetts) to discuss his concerns, and described the meeting as "productive," the spokeswoman said.

See Also:

Photo: Herby Hönigsperger / Flickr

(Read Original Article - Via Threat Level.)


Bookmark/Search this post with: