Slashdot Mirror

← Back to Stories (view on slashdot.org)

FalseCONNECT Vulnerability Affects Software From Apple, Microsoft, Oracle, More (softpedia.com)

Posted by BeauHD on from the no-one-is-safe dept.

An anonymous reader writes from a report via Softpedia: "Researcher Jerry Decime revealed details about a security vulnerability that allows an attacker to gain a Man-in-the-Middle position and intercept HTTPS traffic thanks to flaws in the implementation of proxy authentication procedures in various products," reports Softpedia. The flaw can be used to collect user credentials by tricking victims into re-authenticating, sending data to a third-party. Multiple software vendors deploy applications that can handle proxy connections. Until now, Apple, Microsoft, Oracle, and Opera have acknowledged their products are affected. Lenovo said this bug does not impact its software. Other software vendors that are still evaluating the FalseCONNECT bug and may be affected include multiple Linux distros, Cisco, Google, HP, IBM, Juniper, Mozilla, Nokia, OpenBSD, SAP, Sony, and others.

32 comments

  1. Lenovo said this bug does not impact its software. by Anonymous Coward · · Score: 0

    Well, that's a nice change of pace.

  2. Re:Lenovo said this bug does not impact its softwa by Anonymous Coward · · Score: 0

    Their driver auto-update apps are very simplistic. Thank God they didn't bother to add proxy support to them.

  3. Tricks victims into reauthenticating by Anonymous Coward · · Score: 0

    Not a software flaw. A user flaw.

    1. Re:Tricks victims into reauthenticating by Oswald+McWeany · · Score: 2

      My vote is for both: It requires an imperfect user using imperfect software.

      --
      "That's the way to do it" - Punch
    2. Re:Tricks victims into reauthenticating by Gr8Apes · · Score: 2

      Seems like this is an issue only for those going through a proxy server. No HTTP proxy, no problem. So this affects a minor smidgen of users in the world, and only those that are smart enough to set one up in the first place. (Companies that set this up should be smart enough to deal with this problem)

      --
      The cesspool just got a check and balance.
    3. Re:Tricks victims into reauthenticating by 93+Escort+Wagon · · Score: 1

      Uh... don't a lot of ISPs use proxies without necessarily letting their customers know?

      --
      #DeleteChrome
    4. Re:Tricks victims into reauthenticating by Gr8Apes · · Score: 1

      Not in my experience. I don't use any ISP anything on my system. If you installed ISP software.... well, that's a personal problem.

      --
      The cesspool just got a check and balance.
    5. Re:Tricks victims into reauthenticating by darkain · · Score: 1

      Then you don't understand the tech at hand. The parent was talking about transparent proxies sitting within the ISPs network itself. And yes, this is actually a thing that exists within many ISPs.

    6. Re:Tricks victims into reauthenticating by Anonymous Coward · · Score: 0

      I know its traditional not to read TFA but you don't have to be so blatant about it.
      The attack described doesn't require user interaction and relies on software bugs instead. What happens in a nutshell is that the browser sends an unencrypted CONNECT request to the fake proxy, which returns an unencrypted response which is rendered by the browser, JavaScript and all, within the security context of the original HTTPS session. This makes it possible to MITM the traffic to an HTTPS protected site.
      So how can this be? Wasn't HTTPS supposed to protect us from MITM attacks? Well, it can only protect against MITM attacks that happen during the encrypted part of transit. This attack happens in the user's browser, before any traffic is encrypted.
      By the way this is the second proxy-related attack in just a few days, and the previous one also performed its attack in the browser.

    7. Re:Tricks victims into reauthenticating by Anonymous Coward · · Score: 0

      No. I think what he means is that some ISP like those in Iran, China, UAE, Saudi Arabia etc, have proxies at the ISP level which filters everything on the net.

    8. Re:Tricks victims into reauthenticating by Anonymous Coward · · Score: 0

      I would say that it is most ISPs, at least in the US and growing everyday. They need some way to track your data cap and tell you when you are over it.

    9. Re:Tricks victims into reauthenticating by Gr8Apes · · Score: 1

      I have to allow my browser to be configured to use a network proxy. They're not. HTTPS / TLS prevents supposedly exactly what you're discussing, unless the entire CA cert chain of trust has been compromised, admittedly possible and likely more common than we wish to know, but in that case you're already compromised.... I also tend to proxy to localhost via ssh tunnels for a variety of things that require that sort of thing. That type of proxying is not subject to these attacks at all, as I control all aspects of the encryption on those tunnels.

      --
      The cesspool just got a check and balance.
    10. Re:Tricks victims into reauthenticating by 93+Escort+Wagon · · Score: 1

      Not only that - I believe ISPs also use them to cut down on the amount of data they are retrieving from networks other than their own.

      --
      #DeleteChrome
    11. Re: Tricks victims into reauthenticating by buchanmilne · · Score: 2

      ISPs don't use proxies for that.

      The two most common ways to track usage (in DSL/fibre networks, I am not that familiar with cabke) are:
      - RADIUS accounting from the BNG where the PPP (e.g. PPPoE) session terminates
      - From a DPI-basen in-line system (3GPP terminology is 'PCEF'). This can also typically be used from enabling transparent caching (but that can also be done with e.g. WCCP on a router in-linr IIRC, but DPI can make better decisions on what traffic to send to caches).

      But, typically there isn't authentication involved with accessing transparent caches ...

    12. Re:Tricks victims into reauthenticating by Anonymous Coward · · Score: 0

      HTTPS over Transparent proxy is anything but transparent. Cert errors all over the place. Red screen of ZOMG from Chrome.

    13. Re:Tricks victims into reauthenticating by mr_mischief · · Score: 1

      Actually RADIUS can do that. The proxies are for tracking your activity.

    14. Re:Tricks victims into reauthenticating by sjames · · Score: 1

      Unfortunately, some browsers will discover proxys as well. So if no proxy is in use, the bad guy can set one up and get everyone's browser to use it. That doesn't let them sniff the HTTPS traffic, but it does let them ask for a login. In a corporate environment, you can count on a lot of people entering their corporate login without a second thought.

  4. Re:silent security fixes by halivar · · Score: 2

    FLOSS isn't "out in the open;" it's unknown. We don't KNOW that it's affected, and the "may be affected" line in the summary is purely speculative. The known affected parties were notified and given a short time to fix, as is standard procedure. If these security bug disclosure sites had unlimited resources, no one would be out in the cold. Alas, it cannot be.

  5. Linux will be safe by Anonymous Coward · · Score: 0

    FOSS FTW

    1. Re: Linux will be safe by Anonymous Coward · · Score: 0

      Microsoft will be safe. COSS FTW.

  6. Scary by Anonymous Coward · · Score: 0

    This seems like a trivial attack. I have a funny feeling more companies will confirm, since all are bad at security basic security holes but stupid enough to complicate their code with UI shims

  7. Goorgle by Anonymous Coward · · Score: 0

    How could Google not confirm this when the researcher said WebKit is directly affected? I smell lazyness!

    1. Re:Goorgle by Anonymous Coward · · Score: 0

      Don't hold your breath!

    2. Re:Goorgle by darkain · · Score: 1

      Google uses Blink now, not WebKit... because it is OMGs so different! https://en.wikipedia.org/wiki/...

  8. Re:silent security fixes by Anonymous Coward · · Score: 0

    FOSS projects were notified, according to the CERT alert

  9. In other words by ThatsNotPudding · · Score: 1

    In other words, NOTHING online is secure, nor ever was.

    We're all wearing the Emperors' New Clothes; some of us just haven't been embarrassed about it yet.

    1. Re:In other words by Anonymous Coward · · Score: 0

      Except Pokemon GO servers

    2. Re:In other words by Anonymous Coward · · Score: 0

      Yes there is. But you need to pray alot

  10. Apple stuff by Anonymous Coward · · Score: 0

    Why publish details about iOS first... nobody uses iOs these days

  11. PRESUME IT'S A LIE (FBI) (FBI) (FBI) [singing] by Anonymous Coward · · Score: 0

    Softpedia is not legit whatsoever. They have passed out malware on par with CNET and ZDNET over decades. They take freeware and bundle malware and adware with their versions. So fuck their source is #1.

    #2 is Slashdot is FBI.

    >Lenovo said this bug does not impact its software. Other software vendors that are still evaluating the FalseCONNECT bug and may be affected include multiple Linux distros, Cisco, Google, HP, IBM, Juniper, Mozilla, Nokia, OpenBSD, SAP, Sony, and others.

    #3 is look at which sites they are pulling credibility from... actually not credibility from. Hover in the summary. falseconnect.com? no fucking shit eh? kb.cert.org? OH OK Linux and Cisco better find this shit out pronto senoritas.

    Time for FBI to FB die.