Security researcher Guido Vranken discovered that using a ‘HTTPS Bicycle Attack,’ a potential hacker could extract information from the HTTPS data streams. He has published a research paper (PDF) detailing how the new attack works on TLS/SSL-encrypted traffic, and how it could be used to reveal users passwords, GPS coordinates and much more. According to Vranken, the HTTPS Bicycle Attack lets a hacker inspect HTTPS traffic and be able to determine the length of some of the data exchanged underneath the TLS protection layer. Once the exploit is successful the hacker can find out details like the length of a cookie header, the length of passwords sent in POST requests, GPS coordinates, IPv4 addresses, or other information contained in TLS-encrypted HTTP traffic.
What is HTTPS Bicycle Attack?
Vranken says that the HTTPS Bicycle Attack is completely undetectable and can also be used retroactively on HTTPS traffic logged many years before. For an HTTPS Bicycle Attack to be successful, a few prerequisites need to be satisfied. First the HTTPS traffic must use a stream-based cipher, and then the attacker must know the length of the rest of the data before being able to extract details about specific parts of the HTTPS packets. Once the above prerequisites are met, any hacker with advanced tech knowledge can carry out the HTTPS Bicycle Attack as all he/she needs to do is to capture HTTPS packets from a user authentication operation. Once the hacker has used the exploit, he/she will have access to victim’s username, login URL, and the adjacent information (usually sent to the server), the only information left in the HTTPS packet would be the length of the user’s password. After a simple subtraction, an attacker would then be in the possession of the user’s password length. The password length will allow the hacker to brute-force into any web account. Vranken has also published details of mitigation against the HTTPS Bicycle Attack. To protect against HTTPS Bicycle attacks, Vranken recommends that webmasters should turn off support for TLS stream-ciphers. He suggests that the webmasters should use the latest version of the TLS protocol (1.2 right now), and add padding to any sensitive data sent via HTTPS and mask its actual length.