Two Security researchers Mathy Vanhoef and Tom Van Goethem explained their finding in Black Hat Conference this week. HEIST is defined as (HTTP Encrypted Information can be Stolen Through TCP-Windows)
Compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring network access,” the researchers said in the paper.
“If we know that HTTP/2 is used, we can let the browser simultaneously request the targeted resource, and another resource that contains reflected content,” Vanhoef and Van Goethem wrote in a research paper. “Since HTTP/2 is used, both requests are sent in parallel to the server, and the server replies to them in parallel as well.”
How this attack work?
It is possible to exploit two earlier attacks, BREACH and CRIME attack, to decrypt the transmitted data without the attacker having to be in a man-in-the-middle (MITM) position on the network. When a visitor surfing a compromised website, then the malicious code silently runs in the background. HEIST works with both the older HTTP/1.x and the new HTTP/2 protocols.
According to Ars,
Van Goethem and fellow researcher Mathy Vanhoef have already disclosed their findings to researchers at both Google and Microsoft. That means Wednesday’s demonstration isn’t likely to catch them by surprise. Still, when asked how possiblel the attack is against Gmail, Bank of America, and other real-world sites, Van Goethem gave the following answer:
How To Protect?
- To Disable Third Party Cookies
- By Disabling third-party cookies would prevent HEIST’s fetch call from authenticating with the invaded webpage.