Collaborate Disseminate
Daniel Bleichenbacher was the security researcher who first discovered, in 1998, that PKCS #1 v1.5 padding error messages sent by a Transport Layer Security (TLS) stack running on a server could enable an adaptive-chosen ciphertext attack. When used in… Continue reading ROBOT Attack Revives a 19-Year Old Vulnerability
It was late Friday afternoon when the email arrived saying he’d won a free cruise. Philip quickly opened the email and clicked the link for more information, but there was nothing there. What he didn’t know is that this cruise offer actuall… Continue reading Exploiting ROBOT like Mr. Robot
Many websites, firewalls and load balancers are vulnerable to an attack that can allow hackers to decrypt TLS traffic between them and users or to sign data with their certificate’s private key. The weakness was found by independent researcher Ha… Continue reading Many Websites Vulnerable to 19-Year-Old TLS Decryption Attack
Facebook has paid a group of researchers a bug bounty prize for notifying the company of a severe vulnerability based on a slight modification of an encryption bug from 1998 that was until now presumed to be patched by most major websites, Forbes reported. The researchers say many more websites could be vulnerable. The trio of researchers – Hanno Böck and Juraj Somorovsky from Germany, and Craig Young from the United States – dubbed the vulnerability “ROBOT” in a blog post published on Tuesday and say that it could affect subdomains on 27 of the top 100 websites on Alexa, the web traffic analytics website. The bug can let a hacker sit between a user and a website’s server and intercept private information, such as passwords. The vulnerability is based on the 19-year-old Bleichenbacher attack, by which an attacker can figure how to break through a websites’s encryption using a barrage of queries. […]
The post Facebook patches security flaw based on 19-year-old bug; other sites may still be vulnerable appeared first on Cyberscoop.
Facebook has paid a group of researchers a bug bounty prize for notifying the company of a severe vulnerability based on a slight modification of an encryption bug from 1998 that was until now presumed to be patched by most major websites, Forbes reported. The researchers say many more websites could be vulnerable. The trio of researchers – Hanno Böck and Juraj Somorovsky from Germany, and Craig Young from the United States – dubbed the vulnerability “ROBOT” in a blog post published on Tuesday and say that it could affect subdomains on 27 of the top 100 websites on Alexa, the web traffic analytics website. The bug can let a hacker sit between a user and a website’s server and intercept private information, such as passwords. The vulnerability is based on the 19-year-old Bleichenbacher attack, by which an attacker can figure how to break through a websites’s encryption using a barrage of queries. […]
The post Facebook patches security flaw based on 19-year-old bug; other sites may still be vulnerable appeared first on Cyberscoop.
TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding,and may therefore be vulnerable to Bleichenbacher-style attacks. This attack is known as a"ROBOT attack". Continue reading VU#144389: TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding