A new hacking technique dubbed BREACH can extract login tokens, session ID numbers and other sensitive information from SSL/TLS encrypted web traffic in just 30 seconds.
The technique was demonstrated at the Black Hat security conference in Las Vegas (Presentation PDF & Paper) by Gluck along with researchers Neal Harris and Angelo Prado, which allows hackers to decodes encrypted data that online banks and e-commerce sites from an HTTPS channel.
Neal, Yoel and Angelo (From left to right) at BlackHat
BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) is very targeted and don’t decrypt the entire channel. BREACH manipulates data compression to pry out doses of information from HTTPS protected data, including email addresses, security tokens, and other plain text strings.
Angelo Prado told The Hacker News, "We are using a compression oracle is leveraging the building blocks from CRIME, on a different compression context." i.e. To execute the oracle attack, BREACH exploits the standard Deflate compression algorithm used by many websites to conserve bandwidth.
The attacker just has to continually eavesdrop on the encrypted traffic between a victim and a web server before and the exploit requires that a victim first access a malicious link, this can be done by embedding an iframe tag in a page the victim frequents.
The recovery of secret authentication cookies opens the door for attackers to pose as their victims and hijack authenticated web sessions. It is important to note that the attack is agnostic to the version of TLS/SSL, and does not require TLS-layer compression. Additionally, the attack works against any cipher suite.