Feeds

Researcher raids browser history for webmail login tokens

Point, click, and hijack

The Power of One eBook: Top reasons to choose HP BladeSystem

In a disclosure that has implications for the security of e-commerce and Web 2.0 sites everywhere, a researcher has perfected a technique for stealing unique identifiers used to prevent unauthorized access to email accounts and other private resources.

Websites typically append a random sequence of characters to URLs after a user has entered a correct password. The token is designed to prevent CSRF (cross-site request forgery) attacks, which trick websites into executing unauthorized commands by exploiting the trust they have for a given user's browser. The token is generally unique for each user, preventing an attacker from using CSRF attacks to rifle through a victim's account simply by sending a generic URL to a website.

Now, a researcher who goes by the name Inferno has come up with a way to guess CRSF tokens using brute forcing techniques by combining it with a much older attack. As researchers have pointed out for years, it's trivial for website owners to steal a complete copy of most people's recent browsing history using what's known as CSS history hacking. By checking each visitor for a long list of possible tokens belonging to highly desirable websites (think Gmail, eBay, and the like), an unscrupulous webmaster can determine a CSRF token with minimal fuss.

It's "another neat little technique in the web hacker's toolbox, in the event that your target website doesn't have any XSS (cross-site scripting) issues," said Jeremiah Grossman, a web application security expert and the CTO of WhiteHat Security. "Once I have the token, then I can force you to make valid requests with your browser that'll work."

The technique has several advantages over current attacks. Namely, it runs entirely on the client, so web application firewalls and intrusion detection devices used by websites are generally blind to the attack. Inferno admits that the method is generally useful for guessing tokens that are relatively short. A base16 token with a length of five character generated about 393,216 requests, he noted.

"I tried it on a base16 string of length 5 and was able to brute force the entire key space in less than 2 minutes," he wrote here.

The new technique has some important implications for the way webmasters should issue tokens. For one thing, tokens should contain eight or more more characters - though with the breakneck growth of computer processing power, that number will be sure to rise.

Inferno recommended that websites employ other countermeasures, including storing CSRF tokens as part of a hidden form field rather than putting it in a URL and using a different random token for each form submission. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.