A serious flaw in the way ecommerce sites implement secure
internet access based though the secure HTTPS protocol could put
customers' credit card details at risk, it was claimed today.
Internet users are aware that they should only give their credit
card details to sites that use HTTPS protocol to encrypt the
transmission of user details over the internet.
But First Base Technologies has spotted a flaw in the way many
web sites use HTTPS, that renders the encryption useless.
According to Peter Wood, chief of operations at First Base
Technologies, the flaw allows a hacker to hijack the internet
cookies used to manage secure sessions on HTTPS web servers.
"Many websites do not flag the session cookie used by HTTPS as
secure," he said speaking at InfoSecurity 2009.
Normally this cookie is used like a pass key to allow the user's
browser to send a token to the HTTPS server, rather than requiring
authentication every time the server is accessed.
However, Wood's team has found that unless the HTTPS session
cookie is flagged "secure", it is transmitted as plain text and can
be intercepted by a hacker.
This is not normally a problem for an HTTPS session, but
ecommerce sites that present web-based catalogues normally also use
HTTP and support multiple browser sessions, allowing the user to
log into the web site more than once. When these are combined with
an HTTPS session token that has not been flagged as "secure", the
hacker can pretend to be a genuine user and access the site using
the same token.
Wood warned that the attack could also be used to compromise
strong security practices like RSA SecureID, that rely on
two-factor authentication.
Wood said, "If you use RSA you have to tell the server to
generate secure cookies otherwise a hacker can grab the token using
a man in the middle style attack." Once the token has been stolen,
the hacker can then access any of the data and applications on the
corporate intranet that the user has access to. Moreover, the
hacker may be able to reverse engineer the secure token to work out
how it was generated, which would compromise the company's
two-factor authentication system.
Wood said that the only way web sites can protect users is by
ensuring their application developers correctly flag HTTPS cookies
as secure. He believed hackers were using this flaw to steal
internet users' card details.