Feeds

Your health, tax, and search data siphoned

Software-as-a-service springs SSL leak

Seven Steps to Software Security

Google, Yahoo, Microsoft's Bing, and other leading websites are leaking medical histories, family income, search queries, and massive amounts of other sensitive data that can be intercepted even when encrypted, computer scientists revealed in a new research paper.

Researchers from Indiana University and Microsoft itself were able to infer the sensitive data by analyzing the distinct size and other attributes of each exchange between a user and the website she was interacting with. Using man-in-the-middle attacks, they could glean the information even when transactions were encrypted using the Secure Sockets Layer, or SSL, protocol or the WPA, or Wi-fi Protected Access protocol.

"Our research shows that surprisingly detailed sensitive user data can be reliably inferred from the web traffic of a number of high-profile, top-of-the-line web applications" offered by Google, Yahoo, and Bing as well as the leading online providers of tax, health and investments services, which the researchers didn't name.

"An eavesdropper can infer the medications/surgeries/illnesses of the user, her annual family income and investment choices and money allocations, even though the web traffic is protected by HTTPS. We also show that even in a corporate building that deploys the up-to-date WPA/WPA2 wi-fi encryptions, a stranger without any credential can sit outside the building to glean the query words entered into employees' laptops, as if they were exposed in plain text in the air."

The paper showed how they were able to deduce the doctor and medical condition of a person who had entered the information into a site operated by "one of the most reputable companies of online services," which runs exclusively over an HTTPS channel. In the case of medical conditions, the details were leaked through the site's auto-suggestion feature, which updates potential entries in response to each keystroke.

The researchers discovered they could "disambiguate" the input by matching each keystroke to the size of the response in the suggestion list. Selections from the site's "Find a Doctor" service were inferred by using the user's IP address to guess her geographic location and then analyzing the packets as they flowed back and forth.

The researchers employed similar techniques to a user of an online tax-preparation application that asks simple questions and tailors future queries based on the answers. By scrutinizing the encrypted responses, they were able to determine the site was asking questions concerning student loan interest deductions, which applied only to tax payers who earned less than $145,000.

By compiling a list of the responses concerning other deductions, it was possible to accurately infer a user's annual income, the researchers said.

They also showed how the auto-suggestion features in Google, Yahoo!, and Bing can leak the search terms users enter, even when traffic is encrypted over WPA. That's because the resulting packets are easy to identify by their "web flow vectors."

The threat is significant because it stems from fundamental characteristics of software-as-a-service applications that have been in vogue for about a decade. Among other things, apps built on AJAX and other Web 2.0 technologies are usually "stateful," meaning they keep track of unique configuration information. Such data often has "low entropy," making it easy for attackers to make educated guesses about its contents.

While a variety of mitigations are available to prevent such attacks, the researchers warn they could come at a high cost. The most obvious solution is to "pad" responses with superfluous data that confuses attackers trying to make sense of the traffic. But the researchers showed the mitigation isn't always effective and they also point out that it adds a considerable amount of traffic to each transaction, which in turn drives up the costs of operation.

"Effective and efficient mitigations have to be application-specific: developers will need to identify the vulnerabilities first, and then specify mitigation policies accordingly," the researchers wrote. "This effort requires analysis of web application semantics, information flow and network traffic patterns."

The scientists are Shuo Chen of Microsoft Research; and Rui Wang, XiaoFeng Wang, and Kehuan Zhang of Indiana University at Bloomington's School of Informatics and Computing. A PDF of the paper is here. Princeton University computer science professor and Freedom to Tinker blogger Ed Felton has additional analysis here. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.