Dan Goodin / Ars Technica:
Researchers demo new exploit, HEIST, executed by Javascript on a visited page, which lets hackers steal sensitive data from HTTPS pages without a MITM position
The HTTPS cryptographic scheme protecting millions of websites is vulnerable to a newly revived attack that exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don’t have the ability to monitor a targeted end user’s Internet connection.
The exploit is notable because it doesn’t require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit. As its name suggests, the HEIST technique—short for HTTP Encrypted Information can be Stolen Through TCP-Windows—works by exploiting the way HTTPS responses are delivered over the transmission control protocol, one of the Internet’s most basic building blocks.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
2 Comments
haktuts says:
http://www.haktuts.in/2016/08/new-attack-steals-ssns-e-mail-addresses-from-https-site.html
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers demo new exploit, HEIST, executed by Javascript on a visited page, which lets hackers steal sensitive data from HTTPS pages without a MITM position
New attack steals SSNs, e-mail addresses, and more from HTTPS pages
Approach exploits how HTTPS responses are delivered over transmission control protocol.
http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/
The HTTPS cryptographic scheme protecting millions of websites is vulnerable to a newly revived attack that exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don’t have the ability to monitor a targeted end user’s Internet connection.
The exploit is notable because it doesn’t require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit. As its name suggests, the HEIST technique—short for HTTP Encrypted Information can be Stolen Through TCP-Windows—works by exploiting the way HTTPS responses are delivered over the transmission control protocol, one of the Internet’s most basic building blocks.