[ISN] Researcher Hacks Twittter Using SSL Vulnerability

From: InfoSec News <alerts_at_private>
Date: Tue, 17 Nov 2009 04:03:42 -0600 (CST)
http://www.eweek.com/c/a/Security/Researcher-Demonstrates-SSL-Vulnerability-on-Twitter-291904/

By Brian Prince
eWEEK.com
2009-11-16

A security researcher has demonstrated how attackers could use a newly 
discovered vulnerability in the Secure Sockets Layer protocol to launch 
an attack on Twitter.

The researcher, Anil Kurmus, posted details of the attack to his blog, 
The Secure Goose, Nov. 10. The exploit takes advantage of a 
vulnerability reported Nov. 5 by researchers from PhoneFactor. Although 
the security hole Kurmus took advantage of has reportedly been closed by 
Twitter, one of the researchers at PhoneFactor who discovered the bug 
said the exploit underscores the flaw's significance.

The exploit takes advantage of an SSL renegotiation issue. According to 
PhoneFactor, the vulnerability partially invalidates the SSL lock and 
enables attackers to launch attacks that could compromise a variety of 
sites that use SSL for security.including banking sites, and back-office 
systems that use Web services-based protocols.

In a paper, PhoneFactor researchers Steve Dispensa and Marsh Ray 
explained (PDF) that the vulnerability allows a man-in-the-middle attack 
to inject an arbitrary amount of chosen plaintext into the beginning of 
the application protocol stream. This in turn can lead to a variety of 
abuses, they contended.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Tue Nov 17 2009 - 02:03:42 PST

This archive was generated by hypermail 2.2.0 : Tue Nov 17 2009 - 02:12:20 PST