Bad news! HTTPS, which has been touted as being more secure than the older HTTP, has now become a less so. An attack that steals sensitive information, such as social security numbers and email addresses, has been announced.
This is not the first time a leak has been discovered in HTTP coding. In fact, it isn’t the first time this particular exploit, HEIST, has been seen. But it has been once more proven as a threat by researchers who have warned major tech companies of the ability to continue exploiting it.
Direct HTTPS Risk Exploitation
There is no need for a third party conduit for this particular vulnerability. The end-user needs only to find a Javascript file that has been attached either on a website (with or without the knowledge of the webmaster), or hidden within an advertisement.
From there the file size of encrypted data files are found, and the hackers can use different techniques already formed and protected to break through the encryption.
Because of the nature of the data carried in files of this nature through HTTPS networks (social security numbers, email addresses, secret question answers, financial details, ect), it has the potential for being devastating in the hands of identity thieves.
Quick Response
The good news is that this isn’t a vulnerability we are learning about after it hits the underground and victims start coming out of the woodwork. Researchers at the Belgium based University of Leuven were the first to discover the problem.
Immediately, they warned Google and Microsoft. They have since been trying other methods to map its potential, finding two methods of exploiting the code so far. More could be coming.
There is bad news, however. Where once a man-in-the-middle approach required the hacker to manually drive traffic and have greater control to manipulate potential victims, that is no longer the case. Simply visiting an infected website, or exposure to an infected ad, could be enough to leave you at risk.
Patching this kind of exploit won’t be easy, either. Already experts are warning that this is likely to take some time. Knowing what sites are and are not infected also won’t be a simple matter of having an active malware program running.
Your best bet is to be careful and avoid smaller or suspect sites. We wary of torrent databases, especially those hosted on domains you are not familiar with. And watch where you put details like SSN’s.
Source: Digital Trends