A new technique has been unveiled that can attack Transport Layer Security (TLS)-protected communications in web browsers to expose encrypted email addresses and other personally sensitive data.
Exploiting the vulnerability requires a multistage attack on HTTPS protected pages by inserting a tailored JavaScript file in a web ad or directly on a webpage that measures the exact size of the encrypted files that are being transmitted to users' browsers.
With the exact file size known, it is possible to utilise two earlier attacks, BREACH and CRIME, to decrypt the transmitted data without the attacker having to be in a man-in-the-middle (MITM) position on the network.
The attack, dubbed HTTPS Encrypted Information can be Stolen Through TCP Windows (HEIST) by its developers, Mathy Vanhoefand Tom Van Goethem, two doctoral candidates at the University of Leuven in Belgium, enables the exploit of flaws in network protocols without having to sniff data traffic.
The two presented their findings [pdf] at the annual Black Hat conference this week.
They showed how a side-channel attack could affect the way responses are sent at the TCP level, which could then grab a plaintext message.
"Compression-based attacks [such as CRIME and BREACH] can now be performed purely in the browser, by any malicious website or script, without requiring network access," the researchers said.
HEIST works with both the older HTTP/1.x and the new HTTP/2 protocols.
Mitigating against HEIST involves not allowing third-party cookies to be placed on user browsers, but the researchers warned that doing so may hamper the functionality of web-based services.
