We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application’s state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts

Alfredo Pironti

Ben Smyth

This document extends https://hal.inria.fr/hal-00863371v1We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts. Update (October 18, 2014). This technical report revisits our earlier work (2013) and shows that Google remain vulnerable to the attacks that we disclosed

Smyth, Ben

Pironti, Alfredo

Hal-Diderot

Truncating TLS Connections to Violate Beliefs in Web Applications

Archive Ouverte en Sciences de l'Information et de la Communication

INRIA a CCSD electronic archive server

We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application’s state. It follows immediately that servers may make false assump-tions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the follow-ing practical attacks: we exploit the Helios electronic vot-ing system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain tempo-rary access to Google accounts

CiteSeerX

First appeared at Black Hat USA 2013International audienceWe identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts

https://hal.inria.fr/hal-01102013/file/main-tls-logout.pdf

Truncating TLS Connections to Violate Beliefs in Web Applications

Abstract

Similar works

Full text

Available Versions

Hal-Diderot

Archive Ouverte en Sciences de l'Information et de la Communication

INRIA a CCSD electronic archive server

CiteSeerX

CiteSeerX

INRIA a CCSD electronic archive server