Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

BREACH, just 30s to decrypt info of SSL/TSL encrypted traffic

The HTTPS cryptographic scheme is menaced by the BREACH attack that allows hackers to capture security credentials, email addresses and much more from encrypted pages, often in as little as 30 seconds. Breach (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) is the name of an new methods to capture login tokens, session ID […]

BREACH, just 30s to decrypt info of SSL/TSL encrypted traffic

The HTTPS cryptographic scheme is menaced by the BREACH attack that allows hackers to capture security credentials, email addresses and much more from encrypted pages, often in as little as 30 seconds.

Breach (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) is the name of an new methods to capture login tokens, session ID and other sensitive information from SSL/TSL encrypted traffic.

The powerful technique was illustrated at the Black Hat conference by Yoel Gluck with his colleagues researchers Neal Harris and Angelo Prado, but what has shocked the security community is its capability to broke the encryption in just 30 seconds.

The HTTPs connections are today used to protect traffic of banking system, e-commerce and other secure communications, with a Breach attack hackers could access to sensitive information encrypted in the traffic such as email addressed and security tokens.

Breach attack

BREACH attack technique in reality doesn’t decrypt the entire protected traffic, instead it manipulates data compression to extract pieces of information considered of particular interest.

“We’re not decrypting the entire channel, but only extracting the secrets we care about,” Yoel Gluck, one of three researchers who developed the attack, told Ars. “It’s a very targeted attack. We just need to find one corner [of a website response] that has the token or password change and go after that page to extract the secret. In general, any secret that’s relevant [and] located in the body, whether it be on a webpage or an Ajax response, we have the ability to extract that secret in under 30 seconds, typically.”

BREACH exploits the standard Deflate compression algorithm used by various websites to reduce bandwidth consumption, the hacker need to continually eavesdrop on the encrypted traffic between a victim and a web server before and the condition for exploiting success is that a victim first accesses to malicious link, for example deceiving him with embedded an iframe tag in a page the victim use to frequent.

It is important to note that the attack appears independent of the version of TLS/SSL and does not require TLS-layer compression. Additionally, the attack works against any cipher suite.

Angelo Prado added on the attack to the team of the The Hacker News, “We are using a compression oracle is leveraging the building blocks from CRIME, on a different compression context.”

“Using what’s known as an oracle technique, attackers can use compression to gain crucial clues about the contents of an encrypted message. That’s because many forms of encryption—including those found in HTTPS—do little or nothing to stop attackers from seeing the size of the encrypted payload. Compression oracle techniques are particularly effective at ferreting out small chunks of text in the encrypted data stream.” Reported a post on ArsTechnica.

The attack has serious repercussion, the capturing of authentication token and any other sensitive information could allow a hacker to hijack authenticated web sessions with obvious consequences, this type of attack despite doesn’t compromise the entire SSL security highlight the vulnerability of the two-decade-old SSL and TLS protocols.

Pierluigi Paganini

(Security Affairs – Hacking, BREACH)