Vulnerabilities / Threats
6/29/2013
11:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

HTTPS Side-Channel Attack A Tool For Encrypted Secret Theft

Researchers to release details on how SSL vulnerability gives attackers ability to steal everything from OAuth tokens to PII through an enterprise app in just 30 seconds

A new side channel vulnerability in HTTPS traffic could make it possible for targeted attackers to dig up secrets like session identifiers, CSRF tokens, OAuth tokens, and ViewState hidden fields without users ever being the wiser, say researchers who will explain how the attack could work at this year's Black Hat.

Click here for more of Dark Reading's Black Hat articles.

"It's a very powerful tool that -- if you know how to use it under certain conditions and you know who you're targeting -- you could potentially compromise the security of their channel without them being aware. The victim is not going to see any certificate errors," says Angelo Prado, lead product security engineer at Salesforce.com, who, together with Neal Harris, application security engineer at Square, will be presenting information in a session titled "SSL, Gone in 30 Seconds-A BREACH beyond CRIME." "The attack is going to rely on being able to piggyback on the victim's browser."

According to Prado, the research he and Harris did builds on the Compression Ratio Info-leak Made Easy (CRIME) exploit discovered last fall by researchers Juliano Rizzo and Thai Duong.

"We're building on the footsteps of CRIME. We came across a widespread problem that affects a significant portion of Internet-facing applications and are taking it beyond the original research," Prado says, explaining the genesis of his and Harris' research into SSL flaws. "When you're designing security protocols, you can implement cryptography properly, but you cannot always provide perfect confidentiality. When you mix a lot of protocols into the stack, there might be other layers in the stack that might be overly permissive, and then you might be able to compromise the entire trust relationship."

[Is malware getting around BIOS security measures? See BIOS Bummer: New Malware Can Bypass BIOS Security.]

According to Prado, the attacker may not have to know the victim, but would need to know the system to be targeted and understand the structure of the system. While he and Harris are holding back the bulk of the technical details until the talk, Prado says that the attack generally works by gumming up the browser with a "significant" number of requests, but not significant enough that it would be impossible for a normal browser to execute.

"This is not a DDoS. It's not like Lucky 13 or some of the RC4 attacks in the past that would require years or months to execute," he says. "Our attack would be visible 30 seconds to a half an hour depending on the complexity of the secrets and the dynamics of the page you're trying to target."

These bursts of traffic could point toward one potential mitigation for such an attack, Prado says, explaining that monitoring for these spikes could help pinpoint attacks. Unfortunately, he says that the possibility is high that the fix for the vulnerability is "nontrivial," so it's going to take work with the major browser vendors to look for other remediations and mitigations to lower the risk of users being targeted. He and his research partner are currently working with these vendors through CERT to come up with solutions in advance of Black Hat.

At the show, Prado and Harris will demonstrate an attack on a major enterprise application that will be able to uncover encrypted secrets in 30 seconds. They'll also be releasing a proof-of-concept tool that will allow users to test how the attack works against a sample page.

"And then you're going to be able to point that against your page to hack yourself and determine if you're vulnerable and, if you are, how bad it is," Prado says.

He hopes that his talk will raise awareness about the potential attack, which he says "is very real" and something that enterprises with high-value targets should be concerned about.

"Our attack is for an application that is very fortified, solid, and strong. I would imagine, potentially, a competitor or a foreign nation threat could use the attack to extract a secret off a page that would enable them to impersonate the user on that page," he says. "They might be able to recover a secret that then lets them escalate privileges and get into that application."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.