Called the HEIST Attack, this new technique can attack the SSL/TLS and other secure channels purely in the browser to expose encrypted passwords, email addresses, Social Security numbers and other sensitive data. Two Belgian security researchers, Mathy Vanhoef and Tom Van Goethem presented their latest work at the Black Hat security conference in Las Vegas. They named as HEIST, which stands for HTTP Encrypted Information can be Stolen through TCP-Windows. The exploit of the HTTPS cryptographic scheme dupes end-users by hiding a JavaScript file in a web ad or directly on a webpage. This can be done right on the website if the attacker owns the site, or via JS-based ads if the attacker needs to embed the attack vector on third-party sites. The most deadly attack scenario is the second one, when the attacker sneakily embeds malicious JS inside an ad, which is shown on your banking portal or social media accounts. Once the malicious payload is executed it will try and fetch content via a hidden JavaScript call from a private page that holds sensitive information such as credit card numbers, real names, phone numbers, SSNs, etc.. This page is protected in most cases by HTTPS. Secondly, as the content is retrieved, using a repeated probing mechanism of JavaScript calls, the attacker pinpoints the size of the data embedded on the sensitive page. HEIST basically brute-forces the size of small portions of data that get added to a page as it loads. As such, the attack can take a while. If the page is loaded using the next-gen version of HTTP, the HTTP/2 protocol, the time needed to carry out the attack is much shorter because HTTP/2 supports native parallel requests. HEIST can be called a side-channel attack on HTTPS because instead of breaking the SSL encryption it leaks data exchanged in HTTPS traffic leaving it open to hackers for malicious gains. As data is transferred in small TCP packets, by guessing the size of these packets, an attacker can easily read their content. The two presented their findings[pdf] at Black Hat on Wednesday.
The researchers showed how a side-channel attack could affect the way responses are sent at the TCP level, which could then grab a plaintext message. “Compression-based attacks [such as CRIME and BREACH] can now be performed purely in the browser, by any malicious website or script, without requiring network access,” the researchers said. The researchers said that to block HEIST attacks, the user can disable support for either third-party cookies or JavaScript in the browser. However, this is not possible in today’s world as most browsers use JavaScript to perform important functions. Even banking websites use JavaScript popups for passwords and OTPs.