Vulnerabilities / Threats
6/29/2013
11:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

HTTPS Side-Channel Attack A Tool For Encrypted Secret Theft

Researchers to release details on how SSL vulnerability gives attackers ability to steal everything from OAuth tokens to PII through an enterprise app in just 30 seconds

A new side channel vulnerability in HTTPS traffic could make it possible for targeted attackers to dig up secrets like session identifiers, CSRF tokens, OAuth tokens, and ViewState hidden fields without users ever being the wiser, say researchers who will explain how the attack could work at this year's Black Hat.

Click here for more of Dark Reading's Black Hat articles.

"It's a very powerful tool that -- if you know how to use it under certain conditions and you know who you're targeting -- you could potentially compromise the security of their channel without them being aware. The victim is not going to see any certificate errors," says Angelo Prado, lead product security engineer at Salesforce.com, who, together with Neal Harris, application security engineer at Square, will be presenting information in a session titled "SSL, Gone in 30 Seconds-A BREACH beyond CRIME." "The attack is going to rely on being able to piggyback on the victim's browser."

According to Prado, the research he and Harris did builds on the Compression Ratio Info-leak Made Easy (CRIME) exploit discovered last fall by researchers Juliano Rizzo and Thai Duong.

"We're building on the footsteps of CRIME. We came across a widespread problem that affects a significant portion of Internet-facing applications and are taking it beyond the original research," Prado says, explaining the genesis of his and Harris' research into SSL flaws. "When you're designing security protocols, you can implement cryptography properly, but you cannot always provide perfect confidentiality. When you mix a lot of protocols into the stack, there might be other layers in the stack that might be overly permissive, and then you might be able to compromise the entire trust relationship."

[Is malware getting around BIOS security measures? See BIOS Bummer: New Malware Can Bypass BIOS Security.]

According to Prado, the attacker may not have to know the victim, but would need to know the system to be targeted and understand the structure of the system. While he and Harris are holding back the bulk of the technical details until the talk, Prado says that the attack generally works by gumming up the browser with a "significant" number of requests, but not significant enough that it would be impossible for a normal browser to execute.

"This is not a DDoS. It's not like Lucky 13 or some of the RC4 attacks in the past that would require years or months to execute," he says. "Our attack would be visible 30 seconds to a half an hour depending on the complexity of the secrets and the dynamics of the page you're trying to target."

These bursts of traffic could point toward one potential mitigation for such an attack, Prado says, explaining that monitoring for these spikes could help pinpoint attacks. Unfortunately, he says that the possibility is high that the fix for the vulnerability is "nontrivial," so it's going to take work with the major browser vendors to look for other remediations and mitigations to lower the risk of users being targeted. He and his research partner are currently working with these vendors through CERT to come up with solutions in advance of Black Hat.

At the show, Prado and Harris will demonstrate an attack on a major enterprise application that will be able to uncover encrypted secrets in 30 seconds. They'll also be releasing a proof-of-concept tool that will allow users to test how the attack works against a sample page.

"And then you're going to be able to point that against your page to hack yourself and determine if you're vulnerable and, if you are, how bad it is," Prado says.

He hopes that his talk will raise awareness about the potential attack, which he says "is very real" and something that enterprises with high-value targets should be concerned about.

"Our attack is for an application that is very fortified, solid, and strong. I would imagine, potentially, a competitor or a foreign nation threat could use the attack to extract a secret off a page that would enable them to impersonate the user on that page," he says. "They might be able to recover a secret that then lets them escalate privileges and get into that application."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.