How does Facebook stop a BREACH attack?


By Justin Lafferty Comments


Though Facebook has moved to an HTTPS format, that doesn’t mean the site is completely safe. There’s a general attack on HTTPS-friendly sites called BREACH, which interacts with the technology that usually shields against a different attack called cross-site request forgery (CSRF).

CSRF is used against sites with user accounts, such as Facebook. According to Facebook, the attacker convinces the user’s browser to send plausible web requests to the target website. It’s masked as a common request, so it doesn’t raise any red flags within the browser.

If that works, then the attacker can pose as their victim, sending spam or stealing information.

Facebook detailed in a security blog post how the company protects against these kinds of attacks.

Chad Perry, a member of Facebook’s Security Infrastructure team in London, showed how Facebook can protect its users from BREACH:

Facebook protects people against this threat with an extra layer of security inside the CSRF token. Before BREACH was invented, the token was rotated once daily. The CSRF token contained a truncated SHA-2 hash that incorporated the account ID and current date. A person with three Facebook sessions within a single day would have received an identical CSRF token each time, (e.g., AQAOQ2sf, AQAOQ2sf, and AQAOQ2sf). Now our system replaces the token with a new one every time it is requested. Three different sessions use three different CSRF tokens, (e.g., AQGSRmYTeFnr, AQFkqN92V78v, and AQHouyYa35iv). These new tokens are generated by introducing a random 24-bit salt. The salt is the last 4 letters at the end of the token and is also included within the hash, which eliminates all repetition anywhere in the token. After a new token is issued, the previous tokens still remain valid for a couple days, resulting in multiple tokens being permissible simultaneously.

Previously, if attackers could trigger requests for a few hundred web pages with the same repeated CSRF token and see the compressed size, hypothetically that would be sufficient to take over an account. Now, even if attackers coerced the victim’s browser into submitting ten thousand requests per second, they would rarely encounter the same token twice. BREACH takes advantage of repetition, so the introduction of randomness foils the attempts.

Top image courtesy of Shutterstock.