Feeds

Researcher raids browser history for webmail login tokens

Point, click, and hijack

Security for virtualized datacentres

In a disclosure that has implications for the security of e-commerce and Web 2.0 sites everywhere, a researcher has perfected a technique for stealing unique identifiers used to prevent unauthorized access to email accounts and other private resources.

Websites typically append a random sequence of characters to URLs after a user has entered a correct password. The token is designed to prevent CSRF (cross-site request forgery) attacks, which trick websites into executing unauthorized commands by exploiting the trust they have for a given user's browser. The token is generally unique for each user, preventing an attacker from using CSRF attacks to rifle through a victim's account simply by sending a generic URL to a website.

Now, a researcher who goes by the name Inferno has come up with a way to guess CRSF tokens using brute forcing techniques by combining it with a much older attack. As researchers have pointed out for years, it's trivial for website owners to steal a complete copy of most people's recent browsing history using what's known as CSS history hacking. By checking each visitor for a long list of possible tokens belonging to highly desirable websites (think Gmail, eBay, and the like), an unscrupulous webmaster can determine a CSRF token with minimal fuss.

It's "another neat little technique in the web hacker's toolbox, in the event that your target website doesn't have any XSS (cross-site scripting) issues," said Jeremiah Grossman, a web application security expert and the CTO of WhiteHat Security. "Once I have the token, then I can force you to make valid requests with your browser that'll work."

The technique has several advantages over current attacks. Namely, it runs entirely on the client, so web application firewalls and intrusion detection devices used by websites are generally blind to the attack. Inferno admits that the method is generally useful for guessing tokens that are relatively short. A base16 token with a length of five character generated about 393,216 requests, he noted.

"I tried it on a base16 string of length 5 and was able to brute force the entire key space in less than 2 minutes," he wrote here.

The new technique has some important implications for the way webmasters should issue tokens. For one thing, tokens should contain eight or more more characters - though with the breakneck growth of computer processing power, that number will be sure to rise.

Inferno recommended that websites employ other countermeasures, including storing CSRF tokens as part of a hidden form field rather than putting it in a URL and using a different random token for each form submission. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.