A just released report at the SecurityVibes site for CISOs talks about an SSL security hole that has been used to circumvent supposedly secure E-commerce sites and corporate SSL-VPN connections. This hole allows hackers to use man-in-the-middle attack techniques to break into e-commerce sites round the world.
E-commerce sites are renowned for their security as they use the secure HTTPS protocol for all business transactions, however the report from the UK ethical hacking firm, First Base Technologies gives a step-by-step guide to the configuration weakness reported in OWASP’s web developer’s guide.
The worrying concern is that the weakness was listed on the OWASP site almost three years ago but e-commerce sites and corporate VPNs have still not plugged the hole and so cybercriminals are still able to hijack on-going connections for corporate espionage and other malicious activities.
The hijack works regardless of authentication type and the amount of encryption used because criminals are essentially hijacking the session using the session token of a user connection to the e-commerce site. In other words the attack works whether you use two-factor authentication or a highly secure SSL-VPN connection.
The problem occurs when a user browses an e-commerce site’s catalog. In order to create a fast connection, HTTP is used which causes all communication to happen in the clear. Now when a user wants to purchase something, an e-commerce site will switch the user to the secure protocol HTTPS during the purchase to protect the user’s private information.
At this stage a session token will be generated for the HTTPS session and transmitted in a cookie. If the user then continues to browse the site, they will be switched back to HTTP but in some cases the cookie will continue to be transmitted, this time in clear text.
Sites that do not mark the SSL cookie as ‘secure’ will behave in this fashion, thus giving criminals the opportunity to hijack the session whilst the users are shopping online or using critical VPN services.