Security News > 2021 > June > ALPACA gnaws through TLS protection to snarf cookies and steal data

Academics from three German universities have found a vulnerability in the Transport Layer Security protocol that under limited circumstances allows the theft of session cookies and enables cross-site scripting attacks.

Because TLS does not bind TCP connections to the desired application layer protocol, there's an opportunity for a miscreant-in-the-middle attack to redirect TLS traffic to a different endpoint at another IP address or port.

"We show that in realistic scenarios, the attacker can extract session cookies and other private user data or execute arbitrary JavaScript in the context of the vulnerable web server, therefore bypassing TLS and web application security," the boffins' paper explains.

The first such attack, described two decades ago by Jochen Topf [PDF], details how browsers could be duped into sending arbitrary data to any TCP port using HTML forms.

The boffins argue there's no reason to panic because the ALPACA attack requires a number of prerequisites to work and depends on the complicated interplay between applications, protocols, and browsers.

The suggested mitigations involve implementing Application Layer Protocol Negotiation and Server Name Indication extensions to TLS as a barrier to cross-protocol attacks.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/06/10/alpaca_tls_protection/