Dozens of VISA HTTPS-protected sites vulnerable to Forbidden attack

Pierluigi Paganini May 26, 2016


Dozens of HTTPS-protected websites belonging to Visa are vulnerable to Forbidden Attack, nearly 70,000 servers are at risk.

A new attack technique dubbed ‘Forbidden attack’ expose dozens of HTTPS Visa sites vulnerable to cyber attacks and roughly another 70,000 servers are at risk. A group of international researchers (Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, and Philipp Jovanovic) has discovered that threat actors can inject malicious code and forged content into the browsers of visitors.

The group has published a paper titled Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS.

The experts have discovered 184 servers vulnerable to the attack, some belonging to German stock exchange Deutsche Börse and Polish banking association Zwizek Banków Polskich.

The attack exploit is not new, it is an exploit known at least since ten years, but evidently it has been forgotten. The flaw exploited in the Forbidden Attack is well-documented, but the researchers demonstrated how to exploit it to defeat encrypted communications.

Some organizations have already solved the issue, including the Deutsche Börsebut both Visa and Zwizek Banków Polskich are still vulnerable.

The flaw results from the implementations of the TLS protocol that reuse the same cryptographic nonce for data encryption. The nonce reuse opens the doors to a forbidden attack, which allows hackers to generate the key material used to authenticate site content.

The use of the same nonce when the browser first connects to an HTTPS-protected site makes it possible for threat actors to inject forged content into a transmission over a channel that is shared with the attacker (i.e. An unsecured Wi-Fi network, an attacker on the same LAN segment).

At this point, the tampering of the transmission will not trigger any suspicious behavior that could alert the victims.

“In his comments to NIST Joux [18] described an attack against GCM if nonces are reused. This attack allows an attacker to learn the authentication key and forge messages. Because the uniqueness of nonces is typically a ground rule for cryptanalysis, Joux called his attack the “forbidden attack”. Nevertheless, it highlights an important failure mode in real-world implementations. ” reads the paper published by the researchers. “This results in catastrophic failure of authenticity, even if a nonce is only re-used a single time and enables us to carry out a practical forgery attack against HTTPS,”

Hackers can run a Forbidden attack to tamper communication and add malicious JavaScript code or possibly add Web content could be used for fraudulent activities.

Researcher released online a Proof-of-concept exploit code to show the feasibility of the attack, they also published a video of the attacks against vulnerable Visa sites.

The experts noticed that by giving enough web requests, there’s a high probability a vulnerable website would reuse the nonce,  they estimated that the number of requests necessary for a successful attack still remains extremely high.

The paper reports a table that includes probability p for nonce collision with 2n2 n nonces of 64 bit size, the experts discovered that with about 230 requests the probability is 3% and with 235 requests it is possible to have a 100-percent chance.

forbidden attack test

The study conducted by the researchers has been split into multiple sub-tasks, initially they scanned the web searching for targets, then they tried to find the vulnerable ones.

“Our evaluation of Internet connected devices has been split into multiple sub-tasks. An initial discovery scan, followed by vulnerability scans on discovered target devices with different parameters over a time span of approximately 18 days. In this section we describe the methods used for discovery and analysis of Internet connected devices during our evaluation. ” continues the paper.

Among the 70,000 sites spotted by the researchers, the experts identified several flawed TLS implementations, including one in the IBM’s Domino Web server and another in load balancers from Radware, both already fixed.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

Thank you


[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Forbidden attack, hacking)

you might also like

leave a comment