CATEGORIES
home News

Decades Old ROBOT Exploit Resurfaces With Cryptographic Assault On PayPal And Facebook

by Paul LillyWednesday, December 13, 2017, 10:51 AM EDT
Security

A security flaw that was first discovered in 1998 by Daniel Bleichenbacher has resurfaced, putting at risk some of the most popular websites and services, including Facebook and PayPal. Called ROBOT, the 19-year-old vulnerability can be exploited to perform RSA decryption and signing operations with the private key of a TLS server, and can still be used against many HTTPS hosts in today's Internet landscape.

"For hosts that are vulnerable and only support RSA encryption key exchanges it's pretty bad. It means an attacker can passively record traffic and later decrypt it," security researchers Hanno Böck, Juraj Somorovsky (Hackmanit GmbH, Ruhr-Universität Bochum), and Craig Young (Tripwire VERT) stated in a blog post.

"For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack. We believe that a server impersonation or man in the middle attack is possible, but it is more challenging," the researchers added.

Nearly two decades ago, Bleichenbacher discovered that error messages given by secure sockets layer (SSL) servers for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack, in essence fully breaking the confidentiality of TLS when used with RSA encryption. At the time, countermeasures were put in place to thwart the vulnerability.

While it would seem that a decades old bug wouldn't be capable of causing trouble today, in this case it's been modified to allow various different signals to distinguish between error types like timeouts, connection resets, and duplicate TLS alerts. In addition, the original countermeasures were fairly complex, and as a result many of them were not implemented correctly.

In addition to Facebook and PayPal, the security researchers found vulnerable subdomains on 27 of the top 100 websites as ranked by Alexa, along with more than half a dozen vendors including Cisco, Citrix, and F5. There are fixes available from several of them, and more on the way.
Tags:  PayPal, Facebook, security, Robot, (NASDAQ:FB), (nasdaq:pypl)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment