Internet privacy and security course
About translation
Previous Next

Chapter 94

Data theft with an attack “web cache deception”

In the chapter on protection against  identity theft, I talked about preventive measures, the first of which is comprehensive security, which includes not only the protection of devices, but also knowledge, skills and habits.

One of these habits is to check all the received links to the subject of phishing, to prevent situations where a malefactor forces you to go to a fake website instead of the original one. The easiest way is to offer you fasebook.com instead of facebook.com. This substitution will be easily detected by any phishing protection system or your attentiveness.

Many people advise to pay attention to https certificate, but I would not overestimate its importance, on the black market for good money you can get on the site for phishing the EV-certificate, which browsers highlight in green.

The example above is a childish level of phishing based on social engineering, but phishing would not be so dangerous if there were no much more effective methods in its range. Usually they are based on various vulnerabilities and work until they are discovered by developers or researchers, but until this point they are working with incredible efficiency.

One of these methods was the use of unicode-characters that are visually similar to the Latin alphabet, but for the browser these are other characters. In 2017, researcher Zheng Sydun registered a domain that is visually indistinguishable from apple.com, but in fact consists only of unicode-characters. This attack was effective against users of Chrome, Firefox and Opera browsers. Nowadays, the problem has been fixed by browser developers.

apple fake unicode

But there is a much more effective attack described above and still is remaining incredibly dangerous, this is web cache deception. Omer Gil, who is an employee of the Israeli company EY Hacktics Advanced Security Center, discovered it in 2017.

The essence of the attack is very simple, when you access the site and request content that is not on it, for example, a picture or a text document, the site must notify you of the absence of the requested content by the 404th error. But sometimes because of incorrect settings this does not happen, at the same time the site caches your data.

The principle of attack is best understood in a demo video, where the researcher receives data from his PayPal account. In the first video, it shows the correct link to the PayPal account setting page. Then it follows the link to a non-existent file, but the site ignores part of the link and translates it into the PayPal profile settings.

What is dangerous about this? The fact is that PayPal is caching data and re-following this link by the malefactor, which allowed them to get the victim’s cached page.

In the second video, the researcher first of all follows the link with web cache deception and caches the data of his PayPal account. Then he launches the browser in incognito mode, and, imitating the actions of the malefactor, follows the same link, receiving information from the page that was previously cached.

PayPal paid $3000 to the researcher for the discovered vulnerability. Omer Gil checked large sites for vulnerability to this attack, and web cache deception was performed on 10% of checked sites.

If, in the case of PayPal, an attacker could only get personal data using a web cache deception attack, in many other cases it was possible to gain access to the account using the attack. The web cache deception attack can also be used for deanonymization, since in some cases, the victim's IP address, even their passport data, is cached.

The incredible danger of web cache deception is due to the two following factors: the first is that the user opens a genuine site, no fakes or substitutions, the second is that they simply open the site, no additional actions are required from them.

How to protect yourself from web cache deception

On the basis level, be aware of the existence of this attack, if you are sent a suspicious link of a familiar site, you click on it, and you get to the page with your private information (for example, in your personal account), and the repeated working link has not been sent, probably, you became the victim of attack web cache deception.

Links from unfamiliar people are always and in any case better to be opened only in a sandbox or a virtual environment (although, to be completely honest, from acquaintances too). Popular sites like Google, Facebook, PayPal are tested for resistance to this attack, but this does not mean that there will not be a new, similar vulnerability to which they will be defenseless.

 

Tip

Links from unverified people should be opened only in the sandbox.
Previous
4154
Next