A new attack has the potential to steal everything from email addresses to social security numbers — and security experts have found it running free in the wild. It works by manipulating the way HTTPS responses are delivered across the transmission control protocol (TCP), allowing nefarious actors to decrypt hidden information to extract personal data on targeted users.
The exploit is known as HEIST, which loosely stands for HTTP Encrypted Information can be Stolen Through TCP-Windows (as per Ars) and it’s especially dangerous because it’s capable and simple. When a web user encounters the malicious coding on a web page, it is able to query a number of pages, measuring the sizes of the data that is transmitted when the response comes in.
Although that data is protected by HTTPS, using older exploits, nefarious actors may be able to decrypt the data in those packets and thereby discover quite personal data about the individuals affected.
Fortunately the technique was devised by security researchers at the University of Leuven, Belgium, rather than by black-hats. That’s why we’re hearing about it before it’s been utilized for privacy invasions in the wild. The researchers who discovered the exploit, Van Goethem and Mathy Vanhoef, previously disclosed it to both Microsoft and Google, but proved its viability again yesterday by tacking on dangerous code to a New York Times advert.
The pair believe that in the right hands, the security flaw could affect many websites and by extension, many, many users.
Unfortunately, at this time a proper fix doesn’t really exist. End users can disable cookies, which just about makes it impossible for data it sends to be decrypted, but that would also kill the functionality on a lot of sites.
Considering HEIST is merely the means to an end and the exploits that allow the decryption of the HTTPS data have been around for years, this doesn’t seem like a security hole that is going to be patched any time soon. Security researchers aren’t hopeful, either.
Unfortunately this means we’re all left swinging in the wind with how to best protect ourselves. The only positive to it all is that since we need to stumble across malicious code to become vulnerable, sticking to reliable websites which are unlikely to host it is the best way to protect yourself, short from disabling cookies everywhere and walling yourself off from the online world.