At Black Hat 2016 in Las Vegas, security researchers presented new vulnerabilities in key web protocols, including...
a set of four flaws in the next-generation HTTP/2 protocol and a new twist on compression-based attacks that makes it easier to decrypt HTTPS data.
Tom Van Goethem and Mathy Vanhoef, Ph.D. researchers at the University of Leuven in Belgium, described a vulnerability they call HEIST -- "HTTP Encrypted Information can be Stolen through TCP-windows" -- which builds on a method for determining the exact size of TCP responses and makes old attacks easier because the SSL/TLS protocols do nothing to obscure packet lengths. The HEIST vulnerability can allow attackers to easily infer the length of plaintexts being transmitted.
"Concretely, this means that compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring a man-in-the-middle position. Moreover, we also show that our length-exposing attacks can be used to obtain sensitive information from unwitting victims by abusing services on popular websites," the researchers wrote.
The researchers were able to "increase the damaging effects of our attacks by abusing new features of HTTP/2," in particular, the ability to use a single TCP circuit to open parallel requests over HTTP/2. Mitigations will be difficult: "One of the few, if not the only, adequate countermeasure is to disable third-party cookies," Goethem and Vanhoef wrote.
Meanwhile, Imperva presented a report at Black Hat describing four attack vectors in the HTTP/2 web protocol that enabled vulnerabilities in five HTTP/2 server implementations, including Microsoft IIS, Apache, Nginx, Jetty and nghttpd.
"In this study, we found an exploitable vulnerability in almost all of the new components of the HTTP/2 protocol," the report read. "The four different attack vectors we discovered are Slow Read, HPACK (Compression), Dependency DoS and Stream abuse. The five popular servers under test from various vendors were found to be vulnerable to at least one attack vector, with Slow Read being the most prevalent."
While only five servers were tested, Imperva concluded that the vulnerabilities could probably also be found in other HTTP/2 servers. The Imperva Defense Center research team worked with the vendors of the servers they tested so that the vulnerabilities they found were patched before the report was published.
In other news
- Banner Health, the non-profit hospital system headquartered in Phoenix, Ariz., is notifying approximately 3.7 million people -- including patients, health plan members and beneficiaries, food and beverage customers and physicians and healthcare providers -- that their personal data was exposed after they "discovered that cyber attackers may have gained unauthorized access to computer systems that process payment card data at food and beverage outlets at some Banner Health locations." Banner Health responded by hiring Kroll, the New York-based security and risk management firm, to investigate the attack, and put up a dedicated website to provide information about the attack to the people exposed in the attack.
- In another blow to a key web protocol, a feature in HTML5 meant to allow web servers to check the charge remaining on mobile device batteries, and serve less processing-intensive content to users who are running low on charge, turns out to enable a different feature: battery fingerprinting. In a paper on online tracking, Ph.D. student Steven Englehardt and Arvind Narayanan, assistant professor of computer science, both at Princeton University, described a technique for using the Battery Status API to extract enough battery status information to describe devices sufficiently to track users across different websites. Security researcher Lukasz Olejnik wrote: "Frequency of changes in the reported readouts from Battery Status API potentially allowed the monitoring of users' computer use habits; for example, potentially enabled analyzing of how frequently the user's device is under heavy use. This could lead to behavioral analysis." Battery status readouts for a particular device, which include the current battery level, the time, in seconds, to discharge and recharge the battery provide sufficient precision -- and changes to those values updated slowly enough -- to allow the fingerprinting of devices and track them across websites.
- At Black Hat, Kaspersky Lab announced its own bug bounty program, in association with bug bounty platform provider HackerOne. For the initial phase of the program, Kaspersky is offering up to $50,000 in bounty rewards to researchers who report vulnerabilities in Kaspersky Internet Security 2017 and Kaspersky Endpoint Security 10 SP1MR3 running on Microsoft Windows 8.1, or a more recent Microsoft desktop OS. Payouts for flaws that enable local privilege escalation will be $1,000, while flaws that compromise user data or enable remote code execution will average $2,000. "Our bug bounty program will help amplify the current internal and external mitigation measures we use to continuously improve the resiliency of our products," said Nikita Shvetsov, CTO at Kaspersky Lab, in a press statement. "We think it's time for all security companies, large and small, to work more closely with external security researchers by embracing bug bounty programs as an effective and necessary tool to help keep their products secure and their customers protected."
Find out more about how to protect against the BREACH attack on HTTPS traffic exploits.
Read about how HTTP/2 may be the answer to improving app performance.
Learn more about how HTTP Strict Transport Security (HSTS) addresses web security.