Researcher raids browser history for webmail login tokens
Point, click, and hijack
In a disclosure that has implications for the security of e-commerce and Web 2.0 sites everywhere, a researcher has perfected a technique for stealing unique identifiers used to prevent unauthorized access to email accounts and other private resources.
Websites typically append a random sequence of characters to URLs after a user has entered a correct password. The token is designed to prevent CSRF (cross-site request forgery) attacks, which trick websites into executing unauthorized commands by exploiting the trust they have for a given user's browser. The token is generally unique for each user, preventing an attacker from using CSRF attacks to rifle through a victim's account simply by sending a generic URL to a website.
Now, a researcher who goes by the name Inferno has come up with a way to guess CRSF tokens using brute forcing techniques by combining it with a much older attack. As researchers have pointed out for years, it's trivial for website owners to steal a complete copy of most people's recent browsing history using what's known as CSS history hacking. By checking each visitor for a long list of possible tokens belonging to highly desirable websites (think Gmail, eBay, and the like), an unscrupulous webmaster can determine a CSRF token with minimal fuss.
It's "another neat little technique in the web hacker's toolbox, in the event that your target website doesn't have any XSS (cross-site scripting) issues," said Jeremiah Grossman, a web application security expert and the CTO of WhiteHat Security. "Once I have the token, then I can force you to make valid requests with your browser that'll work."
The technique has several advantages over current attacks. Namely, it runs entirely on the client, so web application firewalls and intrusion detection devices used by websites are generally blind to the attack. Inferno admits that the method is generally useful for guessing tokens that are relatively short. A base16 token with a length of five character generated about 393,216 requests, he noted.
"I tried it on a base16 string of length 5 and was able to brute force the entire key space in less than 2 minutes," he wrote here.
The new technique has some important implications for the way webmasters should issue tokens. For one thing, tokens should contain eight or more more characters - though with the breakneck growth of computer processing power, that number will be sure to rise.
Inferno recommended that websites employ other countermeasures, including storing CSRF tokens as part of a hidden form field rather than putting it in a URL and using a different random token for each form submission. ®