Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/29/2013
11:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

HTTPS Side-Channel Attack A Tool For Encrypted Secret Theft

Researchers to release details on how SSL vulnerability gives attackers ability to steal everything from OAuth tokens to PII through an enterprise app in just 30 seconds

A new side channel vulnerability in HTTPS traffic could make it possible for targeted attackers to dig up secrets like session identifiers, CSRF tokens, OAuth tokens, and ViewState hidden fields without users ever being the wiser, say researchers who will explain how the attack could work at this year's Black Hat.

Click here for more of Dark Reading's Black Hat articles.

"It's a very powerful tool that -- if you know how to use it under certain conditions and you know who you're targeting -- you could potentially compromise the security of their channel without them being aware. The victim is not going to see any certificate errors," says Angelo Prado, lead product security engineer at Salesforce.com, who, together with Neal Harris, application security engineer at Square, will be presenting information in a session titled "SSL, Gone in 30 Seconds-A BREACH beyond CRIME." "The attack is going to rely on being able to piggyback on the victim's browser."

According to Prado, the research he and Harris did builds on the Compression Ratio Info-leak Made Easy (CRIME) exploit discovered last fall by researchers Juliano Rizzo and Thai Duong.

"We're building on the footsteps of CRIME. We came across a widespread problem that affects a significant portion of Internet-facing applications and are taking it beyond the original research," Prado says, explaining the genesis of his and Harris' research into SSL flaws. "When you're designing security protocols, you can implement cryptography properly, but you cannot always provide perfect confidentiality. When you mix a lot of protocols into the stack, there might be other layers in the stack that might be overly permissive, and then you might be able to compromise the entire trust relationship."

[Is malware getting around BIOS security measures? See BIOS Bummer: New Malware Can Bypass BIOS Security.]

According to Prado, the attacker may not have to know the victim, but would need to know the system to be targeted and understand the structure of the system. While he and Harris are holding back the bulk of the technical details until the talk, Prado says that the attack generally works by gumming up the browser with a "significant" number of requests, but not significant enough that it would be impossible for a normal browser to execute.

"This is not a DDoS. It's not like Lucky 13 or some of the RC4 attacks in the past that would require years or months to execute," he says. "Our attack would be visible 30 seconds to a half an hour depending on the complexity of the secrets and the dynamics of the page you're trying to target."

These bursts of traffic could point toward one potential mitigation for such an attack, Prado says, explaining that monitoring for these spikes could help pinpoint attacks. Unfortunately, he says that the possibility is high that the fix for the vulnerability is "nontrivial," so it's going to take work with the major browser vendors to look for other remediations and mitigations to lower the risk of users being targeted. He and his research partner are currently working with these vendors through CERT to come up with solutions in advance of Black Hat.

At the show, Prado and Harris will demonstrate an attack on a major enterprise application that will be able to uncover encrypted secrets in 30 seconds. They'll also be releasing a proof-of-concept tool that will allow users to test how the attack works against a sample page.

"And then you're going to be able to point that against your page to hack yourself and determine if you're vulnerable and, if you are, how bad it is," Prado says.

He hopes that his talk will raise awareness about the potential attack, which he says "is very real" and something that enterprises with high-value targets should be concerned about.

"Our attack is for an application that is very fortified, solid, and strong. I would imagine, potentially, a competitor or a foreign nation threat could use the attack to extract a secret off a page that would enable them to impersonate the user on that page," he says. "They might be able to recover a secret that then lets them escalate privileges and get into that application."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14230
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user ...
CVE-2019-14231
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/un...
CVE-2019-14207
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.11. The application could crash when calling the clone function due to an endless loop resulting from confusing relationships between a child and parent object (caused by an append error).
CVE-2019-14208
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to a NULL pointer dereference and crash when getting a PDF object from a document, or parsing a certain portfolio that contains a null dictionary.
CVE-2019-14209
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to Heap Corruption due to data desynchrony when adding AcroForm.