How does Facebook stop a BREACH attack?

shutterstock_142152166

Though Facebook has moved to an HTTPS format, that doesn’t mean the site is completely safe. There’s a general attack on HTTPS-friendly sites called BREACH, which interacts with the technology that usually shields against a different attack called cross-site request forgery (CSRF).

CSRF is used against sites with user accounts, such as Facebook. According to Facebook, the attacker convinces the user’s browser to send plausible web requests to the target website. It’s masked as a common request, so it doesn’t raise any red flags within the browser.

If that works, then the attacker can pose as their victim, sending spam or stealing information.

Facebook detailed in a security blog post how the company protects against these kinds of attacks.

Chad Perry, a member of Facebook’s Security Infrastructure team in London, showed how Facebook can protect its users from BREACH:

Facebook protects people against this threat with an extra layer of security inside the CSRF token. Before BREACH was invented, the token was rotated once daily. The CSRF token contained a truncated SHA-2 hash that incorporated the account ID and current date. A person with three Facebook sessions within a single day would have received an identical CSRF token each time, (e.g., AQAOQ2sf, AQAOQ2sf, and AQAOQ2sf). Now our system replaces the token with a new one every time it is requested. Three different sessions use three different CSRF tokens, (e.g., AQGSRmYTeFnr, AQFkqN92V78v, and AQHouyYa35iv). These new tokens are generated by introducing a random 24-bit salt. The salt is the last 4 letters at the end of the token and is also included within the hash, which eliminates all repetition anywhere in the token. After a new token is issued, the previous tokens still remain valid for a couple days, resulting in multiple tokens being permissible simultaneously.

Previously, if attackers could trigger requests for a few hundred web pages with the same repeated CSRF token and see the compressed size, hypothetically that would be sufficient to take over an account. Now, even if attackers coerced the victim’s browser into submitting ten thousand requests per second, they would rarely encounter the same token twice. BREACH takes advantage of repetition, so the introduction of randomness foils the attempts.

Top image courtesy of Shutterstock.

Strategic Mobile Marketing

Mediabistro Course

Strategic Mobile Marketing

On October 21. work with the digital strategy director for Saatchi & Saatchi to develop a marketing strategy for smartphones, tablets, and mobile devices! You’ll learn how to optimize content for mobile, create responsive landing pages, and track all mobile efforts. Register now!

 

Leave a Reply

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Communications Coordinator

National Science Teachers Association
Arlington, VA

Social Media Coordinator (Part Time)

Stanton Carpet
Syosset, NY

Social Media Manager

Aeon Media
San Francisco, CA

Director of Communications

Coin Center
Washington, DC

Digital Strategies Coordinator

IslandWood
Bainbridge Island, WA

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More
 

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us