More weaknesses in e-commerce and SSL-VPN connections revealed

The security flaw says Chai, who is a regular presenter with Infosecurity's information security webinar programme, allows hackers to use man-in-the-middle attack techniques and break into e-commerce sites round the world.

E-commerce sites, he says, are renowned for their security as they use the secure HTTPS protocol for all business transactions.

However the report shows how the UK ethical hacking and penetration testing firm, First Base Technologies, has been using a configuration weakness listed in OWASP's web developer's guide since 2007 that allows cybercriminals to hijack connections.

As reported by Infosecurity in late April when we interviewed Peter Wood, the chief of operations with First Base and another regular on the Infosecurity webinar programme, the cookie hi-jack works regardless of the authentication type and the amount of encryption used.

This, says Chai, is because criminals are essentially hijacking the session using the session token of a user connection to the e-commerce site.

"In other words the attack works whether you use two-factor authentication or a highly secure SSL-VPN connection."

In the report, SecurityVibes members have mentioned an even more alarming SSL hack using Moxie Marlinspike's SSLstrip technology, which Chai claims is currently more difficult to defend against.

A copy of the report can be seen here...

What’s hot on Infosecurity Magazine?