An attack forces has been discovered recently in which the Web cache servers deliver malicious content to website visitors along with exposing a major security hole in Mozilla’s Firefox browser infrastructure.
James Kettle, head of research at PortSwigger Web Security, exploited the security weaknesses in the website infrastructure’s design to hack the Web caches of major sites and platforms which includes a US government agency, a popular cloud platform provider, a hosting platform provider, a software product, a video game, an investment firm’s investor information, and some online stores.
He says that it was a kind of design flaw in the manner in which the caching and websites work and it was’nt specific to any given technologyor cache.
In his research he came across a flaw in an API used in Firefox’s infrastructure which permitted him to take partial control of millions of browsers using his cache-attack method. He calls it a low-fat botnet as he had only less control over it and not total control over Firefox.
Kettle is keeping most of the web caching hack details and web targets as secret until his Black Hat USA talk in August. But he says that by this attack, he can force a cache into behaving in an unsavory way without directly targeting it.
He explains the working procedure as that, when Kettle sends a request to the website with his payload, the website replies with something potentially dangerous … and the cache takes that, so then anyone who visits after that gets hit by the exploit.
Web caches are in front of websites and serve up stored content rather than all of the delivery coming via the live website. The complexity of those caches and content-delivery networks built around many of today’s Web applications can actually leave them open to abuse.
The previous researches in Web cache security has enclosed injecting headers, or tricking the cache into saving and sharing sensitive data. His method is different because it forces the cache to serve up exploits to website visitors.
An attacker can make use of it to put malware that steals passwords or payment-card information from a website when visitors visit the site. The attack can also be done to damage a website or redirect a visitor to a malicious site.
Kettle used his cache-poisoning attack on Firefox against the infrastructure behind it that checks for and sends application and plug-in updates as well as URLs of dangerous websites to block. He says that he found it by accident and that he was able to use cache poisoning to effectively input some limited commands to Firefox browser users worldwide. When the users open the Firefox, he gets control of it.
Mozilla has fixed the issue within 24 hours of reporting it. Abusing the Firefox flaw alone would not be useful to an attacker than chaining an attack with another exploit and gaining full control of the browsers. Mozilla did not respond regarding this request.