Facebook found a 19-year-old security gap; risk for the “giants” of technology

© Provided by: capital.gr. By Thomas Fox-Brewster

Facebook has paid a fee to thank some well-meaning hackers who have modified a 19-year security gap that could potentially be exploited to intercept user accounts. Although the social network is now secure, many top websites remain vulnerable to this security gap, researchers warned.

The social network did not reveal how much it paid Hanno Böck from the Ruhr-Universitat Bochum and his fellow researchers Juraj Somorovsky and Craig Young for their work. Researchers have not revealed the amount of their payment, although they posted on their blogs on their findings on Tuesday, naming the security gap: “ROBOT Attack”. They discovered that a huge number of web sites -nearly a third of the top 100 sites Alexa ranked– are still vulnerable to a security gap originally created by cryptographer Daniel Bleichenbacher, who revealed weaknesses in widely used protocol-based encryption RSA and Secure Socket (SSL) in 1998.

With the Bleichenbacher security gap, an attacker could constantly send ciphertexts (an encrypted plain text that looks like letters and numbers in random order) to a server. The server would answer any query with “right” or “wrong”, based on the validity of the ciphertext. This meant that it was possible to determine what the user’s legitimate ciphertext was, without accessing the user’s private key or website. The hacker would then have to send a large number of requests to an internet server to create the correct ciphertext for a successful “handshake” – that is, the agreement to exchange information between the user and the server via encrypted messages.

On those sites that have not correctly fixed this security vulnerability, a hacker could exploit it to attack the user. They could then retrieve information, such as user passwords.

“If you take advantage of this security gap correctly, basically anything you think you send safely to Facebook is not safe“,

said encryption expert Alan Woodward, a professor at the Department of Computer Science at the University of Surrey.

To prove that an attack on Facebook was possible, the researchers installed the Bleichenbacher security gap on their systems to make them more effective before signing up with a private key to the Facebook.com HTTPS certificate. This meant they could effectively mimic the site and look legitimate, but Böck told Forbes that a hacker:

“should be fast enough to make a handshake”.

Facebook is safe, but many websites are vulnerable to this security gap.

Facebook corrected this error in October. A company spokesman said:

“We are grateful to the scientists who have pointed it out to us. We quickly solved the problem, which was created by a correction we made and did not appear in our tests or in some external testing. We do not know any misuse of this error and we paid researchers with the rewards program for people who spot bugs. We have also encouraged researchers to further explore the implications of this issue on other online services“.

Indeed, while Facebook resolved the issue in October, many other websites may remain vulnerable, according to Böck.

“There are important sites that have not fixed the gap yet, despite the fact that we informed them weeks ago, but we decided not to reveal them”,

he said. PayPal, another site that researchers claimed to be vulnerable to Robot Attack, has not responded to a request for a comment.

A large number of web server technologies have also been discovered by researchers. They have provided a handy list for those who are interested in whether their website is vulnerable to attacks. Cisco, for example, has released a list of many of its products that may be exposed to potential security blanks.

“The Bleichenbacher security gap is not new, so it’s surprising that it reappears, especially in high-profile systems”,

said Woodward.

“Such attacks are difficult to execute, but if you had access to a Wi-Fi access point or a large telecommunications network, it could be a problem”, 

added Matthew Green, an encryption specialist and assistant professor at Johns Hopkins Institute of Information Security.

“In fact, it will probably not allow massive violations, because these attacks are running late, but it could allow targeted violations”.

 

Source: www.capital.gr

(Συνολικές Επισκέψεις: / Total Visits: 4)

(Σημερινές Επισκέψεις: / Today's Visits: 1)
Σας αρέσει το άρθρο; / Do you like this post?
+1
0
+1
0
+1
0
+1
0
+1
0
+1
0
+1
0

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.