Learn Insider Threat Detection with Application Response Strategies
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
The technique was demonstrated at the Black Hat security conference in Las Vegas (Presentation PDF & Paper) by Gluck along with researchers Neal Harris and Angelo Prado, which allows hackers to decodes encrypted data that online banks and e-commerce sites from an HTTPS channel.
BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) is very targeted and don't decrypt the entire channel. BREACH manipulates data compression to pry out doses of information from HTTPS protected data, including email addresses, security tokens, and other plain text strings.
Angelo Prado told The Hacker News, "We are using a compression oracle is leveraging the building blocks from CRIME, on a different compression context." i.e. To execute the oracle attack, BREACH exploits the standard Deflate compression algorithm used by many websites to conserve bandwidth.
The attacker just has to continually eavesdrop on the encrypted traffic between a victim and a web server before and the exploit requires that a victim first access a malicious link, this can be done by embedding an iframe tag in a page the victim frequents.
The recovery of secret authentication cookies opens the door for attackers to pose as their victims and hijack authenticated web sessions. It is important to note that the attack is agnostic to the version of TLS/SSL, and does not require TLS-layer compression. Additionally, the attack works against any cipher suite.