Two researchers at the Black Hat conference in Las Vegas on Thursday exposed 24 ways hackers can hijack seemingly secure browser sessions.
Robert Hansen and Josh Sokol demonstrated methods attackers can use to take over users' accounts or assume control of a website without the need for any exploits, due to the way browsers implement "HTTPS." HTTPS, a combination of the Hypertext Transfer Protocol with the SSL/TLS Protocol, allows a website owner to encrypt a session using a digital certificate.
For any of the two dozen attacks to work, however, a criminal would have to have assumed control of a user's computer via a man-in-the-middle (MITM) exploit, by which an attacker intercepts communications between two systems.
But the researchers wanted to show that HTTPS protection alone won't stop bad things from happening.
For example, the pair detailed an attack known as "session fixation" that takes advantage of the fact that banks using HTTPS don't change a user's cookie after they login -- they simply mark it as valid. As a result, an attacker with MITM control could visit the bank site ahead of the user and set the cookie, essentially logging in the crook as the legitimate user.
Another scenario, known as "delayed pop-up," involves a user who visits a website, such as a bank, and clicks on a link to go the SSL-protected version of the site. This opens a second tab, but if the attacker has control of the first tab, he is able to change the other HTTPS tab to redirect users to malicious executables or authentication forms.
Still, the reliance on MITM makes the scenarios Hansen and Sokol demonstrated unlikely to happen on a widespread scale, they said.
"You'd have to be a very determined attacker," Hansen said. "And determined attackers have a lot of other avenues for attack."
He did say that while "the world is not crashing," website owners and users should take the threats seriously as they have the potential to threaten secure electronic commerce. Potential mitigations include the browser makers offering tab, port and cookie sandboxing controls.
Hansen added that there are likely "hundreds" of other similar vulnerabilities.
