Latest in Gear

Image credit: Source image: Mathy Vanhoef/Tom Van Goethem, KU Leuven

Exploit can attack secure websites through ads

HEIST only needs a little JavaScript to do a lot of damage.
880 Shares
Share
Tweet
Share
Save
Source image: Mathy Vanhoef/Tom Van Goethem, KU Leuven

Some web-based exploits are more dangerous than others... and unfortunately, this is one of the nasty ones. Security researchers at KU Leuven have discovered an attack technique, HEIST (HTTP Encrypted Information can be Stolen Through TCP-Windows), that helps compromise an encrypted website using only a JavaScript file hidden in a maliciously-crafted ad or page. Unlike many similar attacks, you don't need a man-in-the-middle spot to make this work -- it can gauge the size of an encrypted response (and thus enable an attack) all on its own. Combine it with another technique and it's relatively easy to pluck sensitive info from encrypted data traffic, such as email addresses and banking details.

The team's Tom Van Goethem tells Ars Technica that the only surefire way to prevent attacks in the short term is to disable third-party cookies. That's not hard to do (multiple browsers have an option for it), but it's rarely turned on by default. Thankfully, the researchers have already revealed their findings to Google and Microsoft. It's not certain that they'll have patches in place soon, but the advance disclosure at least raises hope that this latest exploit won't be available forever.

From around the web

ear iconeye icontext filevr