Black Hat Las Vegas: SSL/TLS HEIST attack can grab personal info

News by Greg Masters

A new technique unveiled at Black Hat can attack SSL/TLS and other secure channels purely in the browser.

A new technique has been unveiled that can attack SSL/TLS and other secure channels purely in the browser to expose encrypted email addresses, Social Security numbers and other sensitive data.

The exploit of the HTTPS cryptographic scheme dupes end-users by hiding a JavaScript file in a web ad or directly on a webpage. The attack, named HEIST by its developers Mathy Vanhoef and Tom Van Goethem, both doctoral candidates at the University of Leuven in Belgium, enables the exploit of flaws in network protocols without having to sniff actual traffic. The two presented their findings [pdf] at Black Hat on Wednesday.

In particular, they showed how a side-channel attack could affect the way responses are sent at the TCP level, which could then grab a plaintext message. "Compression-based attacks [such as CRIME and BREACH] can now be performed purely in the browser, by any malicious website or script, without requiring network access," the researchers said.

Whereas before an attacker would approach from a man-in-the-middle position, the new strategy allows bad actors to capture victims by using a website owned by a malicious party.

The consequence, they explained, is that their attack can allow the theft of sensitive information from targets by penetrating services on websites.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews