Slashdot Mirror

← Back to Stories (view on slashdot.org)

FalseCONNECT Vulnerability Affects Software From Apple, Microsoft, Oracle, More (softpedia.com)

Posted by BeauHD on from the no-one-is-safe dept.

An anonymous reader writes from a report via Softpedia: "Researcher Jerry Decime revealed details about a security vulnerability that allows an attacker to gain a Man-in-the-Middle position and intercept HTTPS traffic thanks to flaws in the implementation of proxy authentication procedures in various products," reports Softpedia. The flaw can be used to collect user credentials by tricking victims into re-authenticating, sending data to a third-party. Multiple software vendors deploy applications that can handle proxy connections. Until now, Apple, Microsoft, Oracle, and Opera have acknowledged their products are affected. Lenovo said this bug does not impact its software. Other software vendors that are still evaluating the FalseCONNECT bug and may be affected include multiple Linux distros, Cisco, Google, HP, IBM, Juniper, Mozilla, Nokia, OpenBSD, SAP, Sony, and others.

13 of 32 comments (clear)

  1. Re:Tricks victims into reauthenticating by Oswald+McWeany · · Score: 2

    My vote is for both: It requires an imperfect user using imperfect software.

    --
    "That's the way to do it" - Punch
  2. Re:silent security fixes by halivar · · Score: 2

    FLOSS isn't "out in the open;" it's unknown. We don't KNOW that it's affected, and the "may be affected" line in the summary is purely speculative. The known affected parties were notified and given a short time to fix, as is standard procedure. If these security bug disclosure sites had unlimited resources, no one would be out in the cold. Alas, it cannot be.

  3. Re:Tricks victims into reauthenticating by Gr8Apes · · Score: 2

    Seems like this is an issue only for those going through a proxy server. No HTTP proxy, no problem. So this affects a minor smidgen of users in the world, and only those that are smart enough to set one up in the first place. (Companies that set this up should be smart enough to deal with this problem)

    --
    The cesspool just got a check and balance.
  4. Re:Tricks victims into reauthenticating by 93+Escort+Wagon · · Score: 1

    Uh... don't a lot of ISPs use proxies without necessarily letting their customers know?

    --
    #DeleteChrome
  5. Re:Tricks victims into reauthenticating by Gr8Apes · · Score: 1

    Not in my experience. I don't use any ISP anything on my system. If you installed ISP software.... well, that's a personal problem.

    --
    The cesspool just got a check and balance.
  6. Re:Tricks victims into reauthenticating by darkain · · Score: 1

    Then you don't understand the tech at hand. The parent was talking about transparent proxies sitting within the ISPs network itself. And yes, this is actually a thing that exists within many ISPs.

  7. Re:Goorgle by darkain · · Score: 1

    Google uses Blink now, not WebKit... because it is OMGs so different! https://en.wikipedia.org/wiki/...

  8. In other words by ThatsNotPudding · · Score: 1

    In other words, NOTHING online is secure, nor ever was.

    We're all wearing the Emperors' New Clothes; some of us just haven't been embarrassed about it yet.

  9. Re:Tricks victims into reauthenticating by Gr8Apes · · Score: 1

    I have to allow my browser to be configured to use a network proxy. They're not. HTTPS / TLS prevents supposedly exactly what you're discussing, unless the entire CA cert chain of trust has been compromised, admittedly possible and likely more common than we wish to know, but in that case you're already compromised.... I also tend to proxy to localhost via ssh tunnels for a variety of things that require that sort of thing. That type of proxying is not subject to these attacks at all, as I control all aspects of the encryption on those tunnels.

    --
    The cesspool just got a check and balance.
  10. Re:Tricks victims into reauthenticating by 93+Escort+Wagon · · Score: 1

    Not only that - I believe ISPs also use them to cut down on the amount of data they are retrieving from networks other than their own.

    --
    #DeleteChrome
  11. Re: Tricks victims into reauthenticating by buchanmilne · · Score: 2

    ISPs don't use proxies for that.

    The two most common ways to track usage (in DSL/fibre networks, I am not that familiar with cabke) are:
    - RADIUS accounting from the BNG where the PPP (e.g. PPPoE) session terminates
    - From a DPI-basen in-line system (3GPP terminology is 'PCEF'). This can also typically be used from enabling transparent caching (but that can also be done with e.g. WCCP on a router in-linr IIRC, but DPI can make better decisions on what traffic to send to caches).

    But, typically there isn't authentication involved with accessing transparent caches ...

  12. Re:Tricks victims into reauthenticating by mr_mischief · · Score: 1

    Actually RADIUS can do that. The proxies are for tracking your activity.

  13. Re:Tricks victims into reauthenticating by sjames · · Score: 1

    Unfortunately, some browsers will discover proxys as well. So if no proxy is in use, the bad guy can set one up and get everyone's browser to use it. That doesn't let them sniff the HTTPS traffic, but it does let them ask for a login. In a corporate environment, you can count on a lot of people entering their corporate login without a second thought.