Researchers show how to crack into private messages over Gmail and Facebook

BREACH was a serious security exploit discovered in 2013 against the widely-used TLS (Transport Layer Security) that was designed to provide a secure conduit for electronic transactions of many kinds, especially web and email.

The panic over the new hacking technique was widespread, mainly because it could be easily used to intercept a user's private messages within just thirty seconds, and left most major websites, including banks, e-commerce and social media sites, vulnerable.

It was widely believed to have been mitigated after Facebook took measures to prevent it, but now researchers have come forward to show that it can be resurrected to exploit and persistently attack traffic, including all Gmail and Facebook chat sessions.

> See also: Time to patch now: DROWN is the new heartbleed

BREACH potentially allowed attackers to steal the unique authentication tokens generated by websites that were supposed to prevent attackers impersonating users.  

Facebook stopped this by incorporating mechanisms such as increasing the frequency in which it rotates its tokens, while other websites claimed to have safely mitigated it by stopping compression at the TLS level.

But 'the fundamental aspects of BREACH are still not mitigated and popular websites, including Facebook, continue support for vulnerable endpoints,' said the researchers, PhD students Dimitris Karakostas from the National Technical University of Athens and Dionysis Zindros from the University of Athens in their paper.

Their work demonstrates that BREACH can evolve to attack major web applications, confirming the fact that TLS traffic is still practically vulnerable, and could in fact be 500 times faster through these newly discovered methods.

> See also: What the FREAK vulnerability teaches businesses about security

'We conclude that all existing mitigation mechanisms are insufficient and can be bypassed or are not practical,' they wrote.

They also talked about a mechanism where using first-party cookies could eliminate the attacks.

'This proposal is still in draft stage and has not been implemented in any browser. We urge browser vendors to adopt it immediately and web service authors to opt-in.'

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Email & Communications