Man In the Browser Attack | TechSNAP 59

Man In the Browser Attack | TechSNAP 59

Yahoo has made a mistake so big, you have to hear it to believe it. A common feature in firewalls could actually make you more susceptible attack, Blizzard huge security blunder.

PLUS: Separating traffic out between your network cards, and so much more on this week’s TechSNAP.

Thanks to: Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer:

New customers 25% off your entire order, code: 25MAY7
Expires: May 31, 2012


Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | Torrent File

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

Support the Show:

Show Notes:

Yahoo accidentily released the private certificate key for thier new browser extension

  • Yahoo released their new browser extension, a ‘search browser’ called Axis
  • Yahoo accidentally included the private half of their certificate key in the files for the extension
  • This allows anyone with a copy of this key, to sign a new extension and have it appear as if it was legitimately created by Yahoo
  • This could be exploited further, using DNS Spoofing or various other techniques, an attacker could issue an updated version of the Axis plugin, appearing to be signed by Yahoo, but actually containing malware including a key logger and a cookie stealer
  • Yahoo has since released a new version of Axis without the private key
  • It is unclear if Yahoo has taken additional steps beyond publishing the new extension archive without the private key
  • It is imperative that the Yahoo certificate be revoked from trust, meaning Yahoo will need to get a new certificate and resign all of their extensions so they again appear as legitimate
  • Yahoo should probably be using an HSM (Hardware Security Module) to store the private key, rather than having it laying around in a plaintext file
  • Original Discovery
  • Proof of Concept Exploit
  • ThreatPost Coverage
  • Additional Coverage

Researchers find that a common firewall feature makes you more vulnerable

  • Most firewalls include a feature that checks the validity of the TCP initial sequence number (ISN)
  • The ISN is purposely randomized, to prevent spoofed packets from being injected into a TCP stream and prevent TCP session hijacking
  • The main goal of the firewall feature is to conserve bandwidth and other network resources by immediately dropping spoofed or suspicious packets
  • However, if the attacker has malware installed on the target machine behind said firewall, they will be able to determine which packets are being blocked for invalid ISNs and which are not, thus allowing them to determine what are infact valid ISNs
  • Once the attackers has the valid ISN, they can inject data into the TCP stream, and may be able to hijack a connection and present a phishing style login page for services such as facebook
  • Researchers managed to successfully execute a number of different attacks, including the phished facebook login page, injecting javascript to cause users to send tweets and follow people on twitter, injecting malicious links into MSN Messenger conversations between trusted users, and executing DDoS attacks against offsite targets
  • The research focused on mobile devices such as smart phones
  • The researchers found that 31.5% of the 149 mobile network nodes of major US national carriers that they surveyed had firewalls with the ISN tracking feature
  • Research Paper
  • Was presented at the IEEE Symposium on Security and Privacy 2012

New MitB (Man in the Browser) attack targets mobile banking

  • A new trojan called tatanga, uses rootkit type techniques to compromise almost all popular browsers on the windows platform, including: Internet Explorer, Firefox, Chrome, Opera, Safari and Konqueror
  • The trojan also includes elements to remove competing trojans such as the Zeus botnet, and defeat antivirus applications
  • The trojan specifically targets banks in Spain, the United Kingdom, Germany and Portugal
  • The trojan modifies the page inside the browser, so bypasses the encryption of SSL/TLS and even multi-factor login requirements
  • This type of MitB attack is hard to prevent
  • One such way to mitigate these attacks is an out-of-band transaction verification, confirming money transfers with the user outside of their online banking session
  • The tatanga trojan keeps this in mind, and uses social engineering to defeat it
  • When the user logs in to their online banking, passing the multi-factor authentication, the trojan injects a new page in to the user’s browser prompting them to enter a TAN (Transaction Authorization Number) that they will receive via SMS, to verify their login
  • The TAN that the user receives, is actually for the transfer of a large sum of money from their account to that of a mule
  • The trojan instructs users to ignore the specifics on the TAN provided in the SMS, stating that it is experimental, or a test message
  • The effectiveness of the social engineering attack is degraded by the weak writing skills of the author, a future variation of this attack could be far more effective
  • Background on Tatanga
  • Additional Coverage


Q: James asks about routing traffic out different network cards

+ Policy Based Routing on Linux (based on Source Address)
+ Linux Advanced Routing & Traffic Control HOWTO
+ Cross platform policy based routing
+ FreeBSD Example using multiple FIBs

Q: Danny asks about Version Control and Auditing


  • Subversion Manual
  • TortoiseSVN Shell Extension for Windows
  • Tortoise and many other SVN clients support a number of different protocols, including http:// and https:// (via WebDAV), svn:// (running an SVN daemon), svn+ssh:// (running the SVN CLI over SSH) and file:/// (directly accessing the repository, possible over windows file sharing or NFS)

Round Up:

Question? Comments? Contact us here!