A newly discovered flaw in the internet's core infrastructure not only permits hackers to force people to visit web sites they didn't want to, it also allows them to intercept email messages, the researcher who discovered the bug said.
An Associated Press report said the vulnerability Dan Kaminsky of Seattle-based security consultant IOActive, found is especially insidious because it allows criminals to tamper with machines whose reliability and trustworthiness is critical for the internet to function properly.
Kaminsky exposed the vulnerability in the internet's design that, in one case, allowed hackers to reroute some computer users in Texas to a fake Google.com site loaded with automated advertisement-clicking programs, a scam to generate profits for the hackers from those clicks, the report said.
Considering the silent nature of the attack and the sensitive nature of a lot of electronic correspondence, the potential for damage from this second security flaw is high.
But there's no evidence yet that this method of targeting email has been used in a successful attack.
The flaw wasn't in the site itself, it was in the back-end machines responsible for guiding computers to that site.
Kaminsky, who spoke at the Black Hat hacker conference in Las Vegas, has given few details publicly about the vulnerability he found in the Domain Name System (DNS), a network of servers used to connect computers to web sites.
He remained tightlipped so that internet providers would have time to fix their machines. Many have done that, but others have delayed, leaving some people at risk.
Major vendors like Microsoft, Cisco Systems, Sun Microsystems and others have issued patches, software tweaks that cover the security hole and prevent affected machines from ingesting the bogus information hackers are trying to feed them.