Encrypted connections established by at least 949 of the top 1 million websites are leaking potentially sensitive data because of a recently discovered software vulnerability in appliances that stabilize and secure Internet traffic, a security researcher said Thursday.
The bug resides in a wide range of firewalls and load balancers marketed under the F5 BIG-IP name. By sending specially crafted packets to vulnerable sites, an attacker can obtain small chunks of data residing in the memory of connected Web servers. The risk is that by stringing together enough requests, an attacker could obtain cryptographic keys or other secrets used to secure HTTPS sessions end users have established with the sites, security researcher Filippo Valsorda told Ars. He didn’t identify the sites that tested positive in his scans, but results returned by a publicly available tool included with his vulnerability disclosure included the following:
- www.adnxs.com
- www.aktuality.sk
- www.ancestry.com
- www.ancestry.co.uk
- www.blesk.cz
- www.clarin.com
- www.findagrave.com
- www.mercadolibre.com.ar
- www.mercadolibre.com.co
- www.mercadolibre.com.mx
- www.mercadolibre.com.pe
- www.mercadolibre.com.ve
- www.mercadolivre.com.br
- www.netteller.com
- www.paychex.com
The threat stems from a vulnerability in F5 code that implements a transport layer security feature known as session tickets. Session tickets can speed up encrypted transactions by allowing previously established HTTPS connections to resume without a key having to be renegotiated all over again. Sites that use the vulnerable F5 appliances and have session tickets enabled are vulnerable.