HEIST Attack On HTTPS Websites Can Steals Your Private Data
Two Security researchers Mathy Vanhoef
and Tom Van Goethem explained their finding in Black Hat Conference
this week. HEIST is defined as (HTTP Encrypted Information can be Stolen
Through TCP-Windows)
Compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring network access," the researchers said in the paper.
"If we know that HTTP/2 is used, we can let the browser simultaneously request the targeted resource, and another resource that contains reflected content," Vanhoef and Van Goethem wrote in a research paper. "Since HTTP/2 is used, both requests are sent in parallel to the server, and the server replies to them in parallel as well."
How this attack work?
It is possible to exploit two earlier attacks, BREACH and CRIME attack, to decrypt the transmitted data without the attacker having to be in a man-in-the-middle (MITM) position on the network. When a visitor surfing a compromised website, then the malicious code silently runs in the background. HEIST works with both the older HTTP/1.x and the new HTTP/2 protocols.
According to Ars,
Van Goethem and fellow researcher Mathy Vanhoef have already disclosed their findings to researchers at both Google and Microsoft. That means Wednesday's demonstration isn't likely to catch them by surprise. Still, when asked how possiblel the attack is against Gmail, Bank of America, and other real-world sites, Van Goethem gave the following answer:
If I would take my time, and write exploits for a number of websites, then visiting a malicious site (it even doesn't have to be a malicious one, there could also happen to be a malicious JavaScript file on there; there are numerous of possibilities for that to happen), could cause a lot of havoc. Probably the most damage could be dealt out by exploiting BREACH, as it allows the attacker to read out CSRF tokens. Depending on the functionality offered by the website, it could be that by knowing the CSRF token the attacker could simply take over the complete account of the victim.I haven't inspected the requests and responses of every website in detail, but as a user one should expect the worst. An attacker only has to find a single endpoint that contains a secret token and reflects part of the request in the response to extract this token. As I mentioned, knowing this token is typically enough to compromise the user's account.
How To Protect?
- To Disable Third Party Cookies
- By Disabling third-party cookies would prevent HEIST's fetch() call from authenticating with the invaded webpage.
No comments:
Post a Comment