Feeds

Researcher raids browser history for webmail login tokens

Point, click, and hijack

Securing Web Applications Made Simple and Scalable

In a disclosure that has implications for the security of e-commerce and Web 2.0 sites everywhere, a researcher has perfected a technique for stealing unique identifiers used to prevent unauthorized access to email accounts and other private resources.

Websites typically append a random sequence of characters to URLs after a user has entered a correct password. The token is designed to prevent CSRF (cross-site request forgery) attacks, which trick websites into executing unauthorized commands by exploiting the trust they have for a given user's browser. The token is generally unique for each user, preventing an attacker from using CSRF attacks to rifle through a victim's account simply by sending a generic URL to a website.

Now, a researcher who goes by the name Inferno has come up with a way to guess CRSF tokens using brute forcing techniques by combining it with a much older attack. As researchers have pointed out for years, it's trivial for website owners to steal a complete copy of most people's recent browsing history using what's known as CSS history hacking. By checking each visitor for a long list of possible tokens belonging to highly desirable websites (think Gmail, eBay, and the like), an unscrupulous webmaster can determine a CSRF token with minimal fuss.

It's "another neat little technique in the web hacker's toolbox, in the event that your target website doesn't have any XSS (cross-site scripting) issues," said Jeremiah Grossman, a web application security expert and the CTO of WhiteHat Security. "Once I have the token, then I can force you to make valid requests with your browser that'll work."

The technique has several advantages over current attacks. Namely, it runs entirely on the client, so web application firewalls and intrusion detection devices used by websites are generally blind to the attack. Inferno admits that the method is generally useful for guessing tokens that are relatively short. A base16 token with a length of five character generated about 393,216 requests, he noted.

"I tried it on a base16 string of length 5 and was able to brute force the entire key space in less than 2 minutes," he wrote here.

The new technique has some important implications for the way webmasters should issue tokens. For one thing, tokens should contain eight or more more characters - though with the breakneck growth of computer processing power, that number will be sure to rise.

Inferno recommended that websites employ other countermeasures, including storing CSRF tokens as part of a hidden form field rather than putting it in a URL and using a different random token for each form submission. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Boffins build FREE SUPERCOMPUTER from free cloud server trials
Who cares about T&Cs when there's LIteCoin to mint?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.