By Brian Prince
A security researcher has demonstrated how attackers could use a newly
discovered vulnerability in the Secure Sockets Layer protocol to launch
an attack on Twitter.
The researcher, Anil Kurmus, posted details of the attack to his blog,
The Secure Goose, Nov. 10. The exploit takes advantage of a
vulnerability reported Nov. 5 by researchers from PhoneFactor. Although
the security hole Kurmus took advantage of has reportedly been closed by
Twitter, one of the researchers at PhoneFactor who discovered the bug
said the exploit underscores the flaw's significance.
The exploit takes advantage of an SSL renegotiation issue. According to
PhoneFactor, the vulnerability partially invalidates the SSL lock and
enables attackers to launch attacks that could compromise a variety of
sites that use SSL for security.including banking sites, and back-office
systems that use Web services-based protocols.
In a paper, PhoneFactor researchers Steve Dispensa and Marsh Ray
explained (PDF) that the vulnerability allows a man-in-the-middle attack
to inject an arbitrary amount of chosen plaintext into the beginning of
the application protocol stream. This in turn can lead to a variety of
abuses, they contended.
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News