JRB - Fotolia

Gmail BREACH attack gets much faster but still easy to stop

Security researchers updated BREACH attack that would allow a Facebook Messenger or Gmail breach to be performed much faster, but the overall risk is limited.

Security researchers at the Black Hat Asia conference demonstrated an updated version of the BREACH attack which can be performed 500 times faster than the original method.

Dimitris Karakostas and Dionysis Zindros first showed off their BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) attack at Black Hat in 2013. BREACH attacks the Deflate data compression algorithm used to save bandwidth in Web communications and allows attackers to perform a Facebook Messenger or Gmail breach to steal secure data. Karakostas and Zindros also made the attack easier to perform with a new "Rupture" framework.

The researchers claim BREACH is now 500 times faster overall, with browser parallelization six times faster and site requests 16 times faster. The attack targets endpoints and uses "new statistical methods that can be used to bypass noise induced by the usage of block ciphers, as well as noise present in usual web applications," as described in their paper Practical New Developments on BREACH.

In practice, this means an attack could perform a Facebook Messenger or Gmail breach and steal secure communications. Zindros said the attack could take weeks to perform although the Rupture framework would make it easier and lower the complexity of the attack.

"If you want to use Rupture to target an endpoint you need to study it for a bit, how it behaves, how it compresses things, if there is noise, and configure it to make it work ... to steal a Gmail email or a Facebook message," Zindros told The Register. "Rupture is the implementation of our ideas, our optimization techniques, our statistical techniques, and is not proof of concept. It is ready to run on real systems."

Karakostas and Zindros also released a simple way to mitigate such a Gmail breach. The researchers said that first-party cookies could be used to remove the ability to use a targeted service as a compression oracle through which encrypted compressed secrets and plaintext data could be stolen.

Next Steps

Learn how cipher block chaining will influence information governance.

Learn whether the RC4 cipher should still be used in enterprises.

Learn about the undeletable cookies of the future.

Dig Deeper on Web application and API security best practices