Security News > 2021 > June > ALPACA: New TLS Attack Allows User Data Extraction, Code Execution
Researchers from three universities in Germany have identified a new TLS attack method that can allow a man-in-the-middle attacker to extract user data or execute arbitrary code.
The new attack, dubbed ALPACA, has been described as an "Application layer protocol content confusion attack."
"TLS is widely used to add confidentiality, authenticity and integrity to application layer protocols such as HTTP, SMTP, IMAP, POP3, and FTP. However, TLS does not bind a TCP connection to the intended application layer protocol. This allows a man-in-the-middle attacker to redirect TLS traffic to a different TLS service endpoint on another IP address and/or port," the researchers explained in a paper made public this week.
If subdomains share a wildcard certificate, an attacker can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attack may be possible where the behavior of one service may compromise the security of the other at the application layer," they added.
A malicious actor could use the ALPACA attack to extract session cookies and other user data, as well as to execute arbitrary JavaScript code through stored and reflected cross-site scripting attacks.
The researchers have set up a dedicated website for the ALPACA attack, which contains information on impact, affected vendor responses, comparison to other attacks, and possible protections.