Categories: Security news

‘HTTPS Bicycle Attack’ can leak passwords and GPS coordinates on secure connections

New HTTPS Bicycle Attack On TLS/SSL Encrypted Web Traffic Can Reveal Your Passwords and GPS Coordinates

It is well known that most of the financial transactions and personal information are routed on sites which have enabled HTTPS encryption. In fact, users trust HTTPS much more than the normal HTTP operated websites for their banking and financial transactions. Now a Dutch security researcher has found that even HTTPS encryption is not safe and potential hackers could exploit TLS/SSL encrypted websites by using a ‘HTTPS Bicycle Attack.’

Security researcher Guido Vranken discovered that using a ‘HTTPS Bicycle Attack,’ a potential hacker could extract information from the HTTPS data streams. He has published a research paper (PDF) detailing how the new attack works on TLS/SSL-encrypted traffic, and how it could be used to reveal users passwords, GPS coordinates and much more.

According to Vranken, the HTTPS Bicycle Attack lets a hacker inspect HTTPS traffic and be able to determine the length of some of the data exchanged underneath the TLS protection layer. Once the exploit is successful the hacker can find out details like the length of a cookie header, the length of passwords sent in POST requests, GPS coordinates, IPv4 addresses, or other information contained in TLS-encrypted HTTP traffic.

What is HTTPS Bicycle Attack?

Vranken says that the HTTPS Bicycle Attack is completely undetectable and can also be used retroactively on HTTPS traffic logged many years before. For an HTTPS Bicycle Attack to be successful, a few prerequisites need to be satisfied. First the HTTPS traffic must use a stream-based cipher, and then the attacker must know the length of the rest of the data before being able to extract details about specific parts of the HTTPS packets.

Once the above prerequisites are met, any hacker with advanced tech knowledge can carry out the HTTPS Bicycle Attack as all he/she needs to do is to capture HTTPS packets from a user authentication operation.

Once the hacker has used the exploit, he/she will have access to victim’s username, login URL, and the adjacent information (usually sent to the server), the only information left in the HTTPS packet would be the length of the user’s password. After a simple subtraction, an attacker would then be in the possession of the user’s password length. The password length will allow the hacker to brute-force into any web account.

Vranken states on his blog,  “Redundancy of the plaintext HTTP headers included in each and every request can be exploited in order to reveal the length of particular components (such as passwords) of particular requests (such as authentication to a web application). The redundancy of HTTP in practice allows for an iterative resolution of the length of ‘unknowns’ in a HTTP message until the lengths of all its components are known except for a coveted secret, such as a password, whose length is then implied. The attack furthermore exploits the property of stream-oriented cipher suites such as those based on Galois/Counter Mode that the exact size of the plaintext can be known to a man-in-the-middle.”

Vranken has also published details of mitigation against the HTTPS Bicycle Attack. To protect against HTTPS Bicycle attacks, Vranken recommends that webmasters should turn off support for TLS stream-ciphers. He suggests that the webmasters should use the latest version of the TLS protocol (1.2 right now), and add padding to any sensitive data sent via HTTPS and mask its actual length.


Recent Posts

iOS web attack crashes, causes iPhones or iPads to restart

This new CSS-based web attack can crash and restart iPhones or iPads and can cause a Mac computer to freeze…

3 hours ago

Nvidia GeForce RTX 2080 Ti Release Postponed To September 27th

Nvidia delays the launch date of GeForce RTX 2080 Ti by a week Nvidia has decided to postpone the release…

1 day ago

Samsung’s Galaxy Note 9 catches fire in woman’s purse

Woman sues Samsung over Galaxy Note 9 bursting into flames A woman in Long Island has filed a lawsuit against Samsung after…

1 day ago

North Korean hacker charged for WannaCry and Sony cyberattacks

U.S. charges North Korean hacker for WannaCry, Sony cyber attacks The U.S. government on Thursday charged and sanctioned a North…

2 weeks ago

Google launches ‘Dataset Search’ to help scientists and journalists

Google Dataset Search: This new search engine helps scientists hunt for public data Google on Wednesday launched a new search…

2 weeks ago

Android Q will warn users for running apps made for older Android versions

Android Q will soon warn apps running on Android Lollipop or earlier It’s only been a month since Google has…

2 weeks ago