A new security vulnerability, named FalseCONNECT, was detected by the security expert Jerry Decime. Abusing this vulnerability cyber crooks can succeed in carrying out a Man-in-the-Middle attack and intercept HTTPS traffic. What makes this possible are the flaws in the implementation of proxy authentication procedures in some software products.
Decime thinks that there is a drawback in the way several applications respond to HTTP CONNECT requests via HTTP/1.0 407 Proxy Authentication Required responses.
The flaw occurs only in such network environments where users use proxy connections to get online. This connections are mostly utilized in company networks with very strong firewalls.
According to Decime, an attacker who has access to a leveraged network and is able to overhear proxy traffic has the ability to monitor HTTP CONNECT requests which are sent to the local proxy as well. Once the crook detects a request he replies instead of the server asking the victim for a password to access a specific service, using a 407 Proxy Authentication Required response. This way the users sends their authentication information to the attacker, ergo the name of the vulnerability – FalseCONNECT.
Moreover, the attacker would always know when a user is about to log into important accounts like email or Intranet servers, because of the unencrypted HTTP CONNECT requests.
Software, in which WebKit is used, including Chrome, iTunes, Google Drive, Safari are considered to be more at risk than others.
“WebKit-based clients are vulnerable to additional vectors due to the fact that HTML markup and JavaScript are rendered by the client Document Object Model (DOM) in the context of the originally requested HTTPS domain.” a US-CERT alert states.
However, many other software vendors offer apps which use the proxy connections. For now, Microsoft, Apple, Opera and Oracle have already noticed that this bug is affecting their products. Lenovo, on the other hand, said its software is intact.
At this point, it is not clear how many other products are or could be affected, as the FalseCONNECT is still being analyzed by Cisco, Google, HP, Nokia, OpenBSD, SAP, Linux distros, IBM, Juniper, Mozilla, Sony and other vendors.
