Cùran's life
A Debian Developer's observations

26th October 2011 12:18 (GMT)
comScore/Nedstat: a larger Phish market

You might have read my recent post about an open redirect on WEB.DE's homepage. Now, as it turns out, the spread of this particular bug is far wider, than I first thought.

After posting the previous story, I was surprised, how long it's taking to fix the bug. Then I remembered, that the domain for the redirect wasn't web.de but ui-portal.de. Now, knowing that WEB.DE is owned by United Internet doesn't make it that suspicious, but I was intrigued enough to check what the DNS said about the domain. And, as it turns out, the domain points to an IP owned by comScore/Nedstat:

$ dig @85.214.73.63 wa.ui-portal.de

; <<>> DiG 9.7.3 <<>> @85.214.73.63 wa.ui-portal.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51273
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;wa.ui-portal.de.               IN      A

;; ANSWER SECTION:
wa.ui-portal.de.        10      IN      CNAME   wa-ui-portal-de.sitestat.com.
wa-ui-portal-de.sitestat.com. 30 IN     A       77.72.113.50

;; AUTHORITY SECTION:
wa-ui-portal-de.sitestat.com. 83 IN     NS      glns03.sitestat.com.
wa-ui-portal-de.sitestat.com. 83 IN     NS      glns02.sitestat.com.
wa-ui-portal-de.sitestat.com. 83 IN     NS      glns01.sitestat.com.

;; ADDITIONAL SECTION:
glns01.sitestat.com.    24      IN      A       77.72.113.10
glns02.sitestat.com.    24      IN      A       77.72.115.10
glns03.sitestat.com.    24      IN      A       87.249.105.10

;; Query time: 63 msec
;; SERVER: 85.214.73.63#53(85.214.73.63)
;; WHEN: Wed Oct 26 14:27:54 2011
;; MSG SIZE  rcvd: 202

All that is missing now, to confirm everything, is a whois for 77.72.113.50, which shows Nedstat B.V. as the owner (Nedstat is a part of comScore since 2010).

That was, when I realized, that there are probably a lot more sites offering such links, and as a search for inurl:ns_url=http shows (I'm not yet linking to a result page, but you can look it up yourself, of course), that assumption was correct. There are some big names like Siemens or the Bertelsmann Stiftung, using the click-tracking service by Nedstat, returned by the search. That is a problem, as links looking like they're pointing to a trustworthy site/domain have a high potential for being clicked. Most people won't notice the open redirect, especially not, if the attacker took some time to design a target page, that looks like the original (most likely for phishing) or let the redirect point directly at some installer for malicious software or both.

I've informed Siemens and the Bertelsmann Stiftung too, but I can't inform every affected website operator, so I've informed comScore/Nedstat directly and hope, they'll fix the issue in a timely manner. And not less important: inform their customers immediately.

Permalink | debian, security.

License: Creative Commons Attribution-ShareAlike 3.0 Unported License | Imprint (Impressum) | Compiled with Chronicle v4.6

Archives

Tags
Feed
Support my Debian work!
Validated