Forum latest

  • Happy Birthday Daniel ~!
    Allan, how very cool to hear from you! I hope that it goes well for you and your fami...
  • Happy Birthday Daniel ~!
    Does "Happy belated birthday wishes" even cover this by now? :-) Not sure it does! S...
  • It's true..
    Watched "Now You See Me 2" last night. Been a while since the first one, so I'm not a...
Crypto weakness leaves online banking apps open to attack
Security
Written by Gizmo   
Tuesday, 14 September 2010 19:51

The Register:

Flaws in the way web applications handle encrypted session cookies might leave online banking accounts open to attack.

The security risk stems from a cryptographic weakness in web applications developed using Microsoft's ASP.Net framework. ASP.Net uses the US government-approved AES encryption algorithm to secure the cookies generated by applications during online banking sessions and the like.

However implementation flaws in how ASP.NET handles errors when the encrypted data in a cookie has been modified give clues to a potential attacker that would allow him to narrow down the possible range of the keys used in an online banking session. Attacks based on this weakness might allow a hacker to decrypt sniffed cookies or forge authentications tickets, among other attacks.

[Full story][Comment]

 
Don't Click Here Don't Click Here Either