Website Auto-complete Leaks Data Even Over Encrypted Link


I’m always fascinated by side-channel attacks where the attack is focused on the underlying architecture of the cryptosystem and the data echos it creates rather than the algorithm or implementation itself. Similar somewhat to the recent breaking of OpenSSL using power fluctuations.

This time some researcher type fellas focused on the digital noise autocomplete webforms make over an encrypted connection and how it can expose some pretty sensitive data such as medical histories, income, search queries and more.

Google, Yahoo, Microsoft’s Bing, and other leading websites are leaking medical histories, family income, search queries, and massive amounts of other sensitive data that can be intercepted even when encrypted, computer scientists revealed in a new research paper.

Researchers from Indiana University and Microsoft itself were able to infer the sensitive data by analyzing the distinct size and other attributes of each exchange between a user and the website she was interacting with. Using man-in-the-middle attacks, they could glean the information even when transactions were encrypted using the Secure Sockets Layer, or SSL, protocol or the WPA, or Wi-fi Protected Access protocol.

“Our research shows that surprisingly detailed sensitive user data can be reliably inferred from the web traffic of a number of high-profile, top-of-the-line web applications” offered by Google, Yahoo, and Bing as well as the leading online providers of tax, health and investments services, which the researchers didn’t name.

There’s a lot of inference going on but from what I understand of the attack it would only get more accurate as they collected more data and refined the pattern matching.

The attack can succeed over SSL (https connections) or WPA encrypted wireless sessions.

It’s like a rather complex puzzle piecing together different snippets of meta data to come out with an answer, which so far seems to be working well.


They also showed how the auto-suggestion features in Google, Yahoo!, and Bing can leak the search terms users enter, even when traffic is encrypted over WPA. That’s because the resulting packets are easy to identify by their “web flow vectors.”

The threat is significant because it stems from fundamental characteristics of software-as-a-service applications that have been in vogue for about a decade. Among other things, apps built on AJAX and other Web 2.0 technologies are usually “stateful,” meaning they keep track of unique configuration information. Such data often has “low entropy,” making it easy for attackers to make educated guesses about its contents.

While a variety of mitigations are available to prevent such attacks, the researchers warn they could come at a high cost. The most obvious solution is to “pad” responses with superfluous data that confuses attackers trying to make sense of the traffic. But the researchers showed the mitigation isn’t always effective and they also point out that it adds a considerable amount of traffic to each transaction, which in turn drives up the costs of operation.

Honestly as a real life attack, apart from corporate espionage or identity theft I don’t see how it is very practical or dangerous.

Plus mitigation will produce a lot of redundant data and increase operation costs, who wants that?

You can get the full white-paper here:

WebAppSideChannel-final.pdf [PDF]

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities, Privacy

, , , , ,


Latest Posts:


APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.


Comments are closed.