Secure Sites Can Be Hacked Through Ads HEIST

On August 3 during The Black Hat USA 2016 event held at Las Vegas two PhD Researchers explained a new technique called HEIST. HEIST steals encrypted information through the TCP windows.

WATCH VIDEO

A window is the amount of data that a device can accept without acknowledging the sender. This hack purely works within the browser using some front-end scripts and which may look fine to the user thus making it difficult to monitor.

A hacker can exploit using ads infected with the malicious script and can also use malicious sites.

HEIST exploits the underlying Transport and Application layers of a Network such as the protocol HTTP, TCP, SSL, etc. It uses the length of the encrypted data.

Using other technique with this the hacker can pull out sensitive data out of the encrypted message. Even the brand new HTTP/2 (Web 2.0) is not safe from this attack.

In fact the Researchers has shown that HTTP/2 increase the number of techniques a hacker can combine with HEIST causing more damage.

According to one of the Researchers simply disabling third party cookies which contains scripts stored on your device by any third party ads will prevent techniques like HEIST to work.

More information about the event and exploit can be found here.

Loading...