By Brian Prince
eWEEK.com
2009-11-16
A security researcher has demonstrated how attackers could use a newly discovered vulnerability in the Secure Sockets Layer protocol to launch an attack on Twitter.
The researcher, Anil Kurmus, posted details of the attack to his blog, The Secure Goose, Nov. 10. The exploit takes advantage of a vulnerability reported Nov. 5 by researchers from PhoneFactor. Although the security hole Kurmus took advantage of has reportedly been closed by Twitter, one of the researchers at PhoneFactor who discovered the bug said the exploit underscores the flaw's significance.
The exploit takes advantage of an SSL renegotiation issue. According to PhoneFactor, the vulnerability partially invalidates the SSL lock and enables attackers to launch attacks that could compromise a variety of sites that use SSL for security.including banking sites, and back-office systems that use Web services-based protocols.
In a paper, PhoneFactor researchers Steve Dispensa and Marsh Ray explained (PDF) that the vulnerability allows a man-in-the-middle attack to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream. This in turn can lead to a variety of abuses, they contended.