Home > Security & Privacy
Exploit Can Attack Secure Websites Through Ads
Source image: Mathy Vanhoef/Tom Van Goethem, KU Leuven
August 5th, 2016 | 09:56 AM | 1175 views
ENGADGETS.COM
HEIST Only Needs A Little Javascript To Do A Lot Of Damage.
Some web-based exploits are more dangerous than others... and unfortunately, this is one of the nasty ones. Security researchers at KU Leuven have discovered an attack technique, HEIST (HTTP Encrypted Information can be Stolen Through TCP-Windows), that helps compromise an encrypted website using only a JavaScript file hidden in a maliciously-crafted ad or page. Unlike many similar attacks, you don't need a man-in-the-middle spot to make this work -- it can gauge the size of an encrypted response (and thus enable an attack) all on its own. Combine it with another technique and it's relatively easy to pluck sensitive info from encrypted data traffic, such as email addresses and banking details.
The team's Tom Van Goethem tells Ars Technica that the only surefire way to prevent attacks in the short term is to disable third-party cookies. That's not hard to do (multiple browsers have an option for it), but it's rarely turned on by default. Thankfully, the researchers have already revealed their findings to Google and Microsoft. It's not certain that they'll have patches in place soon, but the advance disclosure at least raises hope that this latest exploit won't be available forever.
Source:
courtesy of ENGADGET
by Jon Fingas
If you have any stories or news that you would like to share with the global online community, please feel free to share it with us by contacting us directly at [email protected]