Breached in 30 seconds

BREACH allows an attacker to read encrypted messages over the Web.
BREACH allows an attacker to read encrypted messages over the Web.

A new hacking technique, called BREACH, can lift private data that is critical to securing online banking and shopping from an HTTPS channel - in as little as 30 seconds.

According to Threatpost, researchers at Black Hat showed how BREACH can extract session ID numbers, e-mail addresses, security credentials, login tokens and other sensitive information from SSL/TLS encrypted Web traffic.

BREACH stands for "browser reconnaissance and exfiltration via adaptive compression of hypertext". It allows an attacker to read encrypted messages over the Web by injecting plaintext into an HTTPS request and then measuring compression changes.

HTTPS connections are used to protect the traffic of secure communications, such as banking systems and e-commerce platforms. A BREACH attack allows hackers to access sensitive information encrypted in the traffic - the technique doesn't decrypt all the traffic, but rather manipulates data compression to exfiltrate pieces of specific information.

Security researchers Angelo Prado and Yoel Gluck, from salesforce.com, and Neal Harris, from Square, demonstrated the attack against Outlook Web Access at Black Hat, in Las Vegas, last week.

Mitigating against BREACH

* Disable HTTP compression.
* Separate the secrets from the user input.
* Randomise the secrets in each client request.
* Mask secrets (effectively randomising by XORing with a random secret per request).
* Protect Web pages from CSRF attacks.
* Obfuscate the length of Web responses by adding random amounts of arbitrary bytes.

BREACH is thought to be an extension of CRIME - compression ratio info-leak made easy - a past security exploit against secret Web cookies over connections using the HTTPS and SPDY protocols that also use data compression.

When used to recover the content of secret authentication cookies, CRIME allowed an attacker to perform session hijacking on an authenticated Web session, which allowed the launching of further attacks.

A cert advisory, released shortly after Black Hat, said at present, it did not know of a "practical solution" to problem, but there are several means for mitigating the vulnerability, some of which will protect entire applications, while others will only protect individual Web pages.

Have your say