A number of supposedly secure HTTPS sites owned by Visa are vulnerable to what has been dubbed the ‘forbidden attack’. The security flaw makes it possible for hackers to inject content and code into sites, as well as opening up the possibility of performing man-in-the-middle attacks.
A team of researchers have published a paper that shows how 70,000 HTTPS servers were vulnerable to the attack, and 184 were found to be particularly at risk. While many of the affected sites have since been patched, sites belonging to Visa and Polish banking associate Zwizek Banków Polskich remain insecure because of reusing a cryptographic nonce in contravention of the TLS protocol (hence the ‘forbidden’ tag).
In order to perform a successful attack on some of the 70,000 sites identified, it would be necessary to flood a connection with terabytes of data, making it quite unlikely. But a security risk is a security risk, and the source of the vulnerability is particularly concerning.
The video above shows how the vulnerability can be exploited to inject a script into the German Visa site:
You can read the researchers’ full report, Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS, for more details of the vulnerability.