Search Jacking (DNS too) opens users to vulnerabilities
A while back I blogged about how Verizon was Hijacking failed DNS lookups. What I failed to realize at the time was not only is this adding to a poor experience by users but opens up the ability for ISP's to obtain private information, in the form of cookies for many sites.
For example, cookies for "google.com" are issued to the "google.com" domain. If I type in "junk.google.com" and that is not an actual host serviced by google.com, the DNS for google will return a not found for that name resolution. Verizon in turn captures that and then presents some other page, making my browser think it's a valid address and as a result offer up all the cookies I have for google.com to this phony website.
BIG HOLE. This is a form of forgery of you ask me and soon, I expect, we'll see some exploit that opens up liability to these hijackers along with making users again feel so uncomfortable about the safety of the web.
ISP typo pimping exposes users to fraudulent web pages | The Register