A new technique has been unveiled that can attack the SSL/TLS and other secure channels purely in the browser to expose encrypted email addresses, Social Security numbers and other sensitive data.
The exploit of the HTTPS cryptographic scheme dupes end-users by hiding a JavaScript file in a web ad or directly on a webpage. The attack, named HEIST by its developers, Mathy Vanhoef and Tom Van Goethem, doctoral candidates at the University of Leuven in Belgium, enables the exploit of flaws in network protocols without having to sniff actual traffic. The two presented their findings [pdf] at Black Hat on Wednesday.
In particular, they showed how a side-channel attack could affect the way responses are sent at the TCP level, which could then grab a plaintext message. "Compression-based attacks [such as CRIME and BREACH] can now be performed purely in the browser, by any malicious website or script, without requiring network access," the researchers said.
Whereas before an attacker would approach from a man-in-the-middle position, the new strategy allows bad actors to capture victims by using a website owned by a malicious party.
The consequence, they explained, is that their attack can allow the theft of sensitive information from targets by penetrating services on websites.