Latest in Gear

Image credit: Source image: Mathy Vanhoef/Tom Van Goethem, KU Leuven

Exploit can attack secure websites through ads

HEIST only needs a little JavaScript to do a lot of damage.
861 Shares
Share
Tweet
Share
Save

Sponsored Links

Source image: Mathy Vanhoef/Tom Van Goethem, KU Leuven

Some web-based exploits are more dangerous than others... and unfortunately, this is one of the nasty ones. Security researchers at KU Leuven have discovered an attack technique, HEIST (HTTP Encrypted Information can be Stolen Through TCP-Windows), that helps compromise an encrypted website using only a JavaScript file hidden in a maliciously-crafted ad or page. Unlike many similar attacks, you don't need a man-in-the-middle spot to make this work -- it can gauge the size of an encrypted response (and thus enable an attack) all on its own. Combine it with another technique and it's relatively easy to pluck sensitive info from encrypted data traffic, such as email addresses and banking details.

The team's Tom Van Goethem tells Ars Technica that the only surefire way to prevent attacks in the short term is to disable third-party cookies. That's not hard to do (multiple browsers have an option for it), but it's rarely turned on by default. Thankfully, the researchers have already revealed their findings to Google and Microsoft. It's not certain that they'll have patches in place soon, but the advance disclosure at least raises hope that this latest exploit won't be available forever.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
861 Shares
Share
Tweet
Share
Save

Popular on Engadget

The 2019 Engadget Holiday Gift Guide

The 2019 Engadget Holiday Gift Guide

View
Google Cloud Print follows Reader and Inbox to the trash heap after 2020

Google Cloud Print follows Reader and Inbox to the trash heap after 2020

View
Dell's Black Friday sale includes price cuts on the XPS 13 and Alienware m15

Dell's Black Friday sale includes price cuts on the XPS 13 and Alienware m15

View
GM’s first electric truck could be ready in 2021

GM’s first electric truck could be ready in 2021

View
Save up to $300 on Vizio soundbars with these early Black Friday deals

Save up to $300 on Vizio soundbars with these early Black Friday deals

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr