Wednesday, June 29
HTTPS Visa sites affected by decade-old ‘forbidden attack’ vulnerability

A number of supposedly secure HTTPS sites owned by Visa are vulnerable to what has been dubbed the ‘forbidden attack’. The security flaw makes it possible for hackers to inject content and code into sites, as well as opening up the possibility of performing man-in-the-middle attacks.

A team of researchers have published a paper that shows how 70,000 HTTPS servers were vulnerable to the attack, and 184 were found to be particularly at risk. While many of the affected sites have since been patched, sites belonging to Visa and Polish banking associate Zwizek Banków Polskich remain insecure because of reusing a cryptographic nonce in contravention of the TLS protocol (hence the ‘forbidden’ tag).

In reusing data more than once during encryption, it makes it possible for an attacker to calculate the required key and compromise the site. As explained by Ars Technica, reusing a nonce during a TLS handshake would allow a connection to not only be monitored, but also interfered with. Researchers were able to exploit the vulnerability to attack HTTPS-protected sites. Ars says: ‘Attackers who are able to bypass the protection could add malicious JavaScript code or possibly add Web fields that prompt a visitor to reveal passwords, social security numbers, or other sensitive data’.

In order to perform a successful attack on some of the 70,000 sites identified, it would be necessary to flood a connection with terabytes of data, making it quite unlikely. But a security risk is a security risk, and the source of the vulnerability is particularly concerning.

The video above shows how the vulnerability can be exploited to inject a script into the German Visa site:

You can read the researchers’ full report, Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS, for more details of the vulnerability.