A serious flaw in the way ecommerce sites implement secure internet access based though the secure HTTPS protocol could put customers' credit card details at risk, it was claimed today.
Internet users are aware that they should only give their credit card details to sites that use HTTPS protocol to encrypt the transmission of user details over the internet.
But First Base Technologies has spotted a flaw in the way many web sites use HTTPS, that renders the encryption useless.
According to Peter Wood, chief of operations at First Base Technologies, the flaw allows a hacker to hijack the internet cookies used to manage secure sessions on HTTPS web servers.
"Many websites do not flag the session cookie used by HTTPS as secure," he said speaking at InfoSecurity 2009.
Normally this cookie is used like a pass key to allow the user's browser to send a token to the HTTPS server, rather than requiring authentication every time the server is accessed.
However, Wood's team has found that unless the HTTPS session cookie is flagged "secure", it is transmitted as plain text and can be intercepted by a hacker.
This is not normally a problem for an HTTPS session, but ecommerce sites that present web-based catalogues normally also use HTTP and support multiple browser sessions, allowing the user to log into the web site more than once. When these are combined with an HTTPS session token that has not been flagged as "secure", the hacker can pretend to be a genuine user and access the site using the same token.
Wood warned that the attack could also be used to compromise strong security practices like RSA SecureID, that rely on two-factor authentication.
Wood said, "If you use RSA you have to tell the server to generate secure cookies otherwise a hacker can grab the token using a man in the middle style attack." Once the token has been stolen, the hacker can then access any of the data and applications on the corporate intranet that the user has access to. Moreover, the hacker may be able to reverse engineer the secure token to work out how it was generated, which would compromise the company's two-factor authentication system.
Wood said that the only way web sites can protect users is by ensuring their application developers correctly flag HTTPS cookies as secure. He believed hackers were using this flaw to steal internet users' card details.