Saturday, August 6, 2016

HEIST Attack On HTTPS Websites Can Steals Your Private Data

HTTPS Website Attack


HEIST Attack On HTTPS Websites Can Steals Your Private Data


Two Security researchers Mathy Vanhoef and Tom Van Goethem explained their finding in Black Hat Conference this week. HEIST is defined as (HTTP Encrypted Information can be Stolen Through TCP-Windows)

Compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring network access,” the researchers said in the paper.

“If we know that HTTP/2 is used, we can let the browser simultaneously request the targeted resource, and another resource that contains reflected content,” Vanhoef and Van Goethem wrote in a research paper that has not yet been published. “Since HTTP/2 is used, both requests are sent in parallel to the server, and the server replies to them in parallel as well.”

How this attack work?

When you known the file size, then it is possible to exploit two earlier attacks, BREACH and CRIME attack, to decrypt the transmitted data without the attacker having to be in a man-in-the-middle (MITM) position on the network. HEIST works with both the older HTTP/1.x and the new HTTP/2 protocols.

According to Ars,

Van Goethem and fellow researcher Mathy Vanhoef have already disclosed their findings to researchers at both Google and Microsoft. That means Wednesday’s demonstration isn’t likely to catch them by surprise. Still, when asked how practical the attack is against Gmail, Bank of America, and other real-world sites, Van Goethem gave the following answer:

If I would take my time, and write exploits for a number of websites, then visiting a malicious site (it even doesn’t have to be a malicious one, there could also happen to be a malicious JavaScript file on there; there are numerous of possibilities for that to happen), could cause a lot of havoc. Probably the most damage could be dealt out by exploiting BREACH, as it allows the attacker to read out CSRF tokens. Depending on the functionality offered by the website, it could be that by knowing the CSRF token the attacker could simply take over the complete account of the victim.I haven’t inspected the requests and responses of every website in detail, but as a user one should expect the worst. An attacker only has to find a single endpoint that contains a secret token and reflects part of the request in the response to extract this token. As I mentioned, knowing this token is typically enough to compromise the user’s account.

As we have posted related story earlier,

0 comments: