“Ring-Road” leaks the length of passwords allowing attackers to bypass user authentication.
“Ring-Road” leaks the length of passwords allowing attackers to bypass user authentication.

A vulnerability in email accounts that could enable hackers to determine the number of characters being used in passwords has been detected by Spotlight Cybersecurity LLC, a startup affiliated with Purdue University.

The vulnerability in security protocols, dubbed “Ring-Road” by the researchers, leaks the length of passwords allowing attackers to bypass user authentication. The flaw could impact a billion internet users across the globe, said Spotlight Cybersecurity co-founder and chief technology officer Robert Morton.

Morton, a Purdue doctoral candidate in information security in the Center for Education and Research in Information Assurance and Security, or CERIAS, revealed his findings at a gathering of several Purdue departments on April 18.

“We're in discussions with international email service providers right now about this vulnerability,” Morton told the attendees. The extent of the flaw's impact depends on how Ring-Road affects other products and services, he said.

As part of his research into security vulnerabilities at Purdue, Morton developed an exploit to show how hackers might use the bug to discern how many characters were being used in a password used to gain entry to a user's email account.

Over the last five years, the Internet has been transformed with a new suite of performance improving communication protocols such as SPDY, HTTP/2 and QUIC, Morton told SC Media on Thursday. These new protocols are being rapidly implemented to improve the speed and performance of the internet. More than 10 percent of the top one million websites are already using some of these technologies, including much of the 10 highest traffic sites, he said.

"Security protocols like QUIC are using a mode of encryption called Advanced Encryption Standard Galois/Counter Mode (AES-GCM) for its speed and performance. By default, AES-GCM's cipher text is the same length as the original plaintext," Morton told SC. "For transmitting sensitive communications like passwords, an eavesdropper could identify the length of your password and increase their chances to guess your password and successfully login into your account.  And therein lies the problem."

The initial results obtained by the research team showed that the eavesdropper has doubled their advantage to understand enough information to successfully guess a password. For passwords of eight characters, Morton and his team were able to conduct an online attack to bypass Gmail with a 10 percent success rate using empirical evidence of password usage from data breaches like Yahoo.

"We demonstrated this proof-of-concept exploit at the CERIAS Symposium on Tuesday April 18," Morton said. 

As far as how Ring-Road might affect other products and services, Morton told SC that this currently impacts Chrome and Google services like Gmail. "It also impacts servers that use QUIC," he explained. "In this case, speed has been valued more than safety. In a world where adversaries already have an advantage, we do not need to give them clues about our passwords. If we continue to push for faster encryption without considering the threats, we will continue to have problems."

To prevent exposure, the researchers suggested the following steps: 

  1. Users should disable QUIC in Chrome 
  2. Users should enable two step verification with their G-mail account 
  3. We suggest system administrators to block QUIC with their firewall

Rob Morton and his team will publish research findings on the vulnerability in early summer. The team will quantify the damage and provide the results then, he told SC Media.