back to article How the HTTPS-snooping, email addy and SSN-raiding HEIST JavaScript code works

Malicious ads can potentially masquerade as people online and grab their personal information from HTTPS-protected websites, two boffins have shown. The technique is dubbed HEIST – HTTP Encrypted Information can be Stolen through TCP-Windows – and it was devised by Tom Van Goethem and Mathy Vanhoef, both PhD researchers at the …

  1. a_yank_lurker


    Would having different log in credentials including passwords thwart this attack? It sounds like the attack assumes the user is reusing login credentials across multiple sites.

    1. Richard 12 Silver badge

      Re: Question

      No, as it's based on reusing the session cookie from the user's active login to $SENSITIVE_SITE.

      The attack can be made while cookie survives, as the user does not need to reenter their password.

      1. The Man Who Fell To Earth Silver badge
        Black Helicopters

        Re: Question

        But it would seem that one can reduce the likelihood of success by setting the browser to delete all cookies on exit, so the only potentially exploitable cookies are ones created since the browser was started. Or having a plugin that periodically deletes all cookies.

        1. Anonymous Coward
          Anonymous Coward

          Re: Question

          It's using a *session* cookie, which doesn't persist after you quit your browser.

  2. Adam 1

    Awesome name: check

    Logo: no. Wait, how can I take a HTTPS big seriously if it doesn't have a logo!

  3. Pascal Monett Silver badge

    Breach, Crime, Heist

    Just what is the statistical probability of such a coincidence ?

    Oh, one in a million ? It had to happen then.

  4. Blitheringeejit

    "HEIST requires ... the victim to have enabled ... third-party cookies."

    And why would anyone in their right mind do that? Surely 3rd-party cookie threats have been around for aeons? Hats off to a very clever attack technique, but it's hardly much of a real-world threat, is it?

    1. Raumkraut

      Re: "HEIST requires ... the victim to have enabled ... third-party cookies."

      Sadly, and as noted in the article, 3rd party cookies are *still* enabled by default in most browsers. And most people don't know their browsers have options, let alone what they should set them to. So the default setting abides for most users.

      Which is a good thing, of course, because without third-party cookies being enabled, advertising revenue might be affected in some way to some extent, and therefore the interwebs will implode and the terrorists will have won. Is that what you want?

      1. tiggity Silver badge

        Re: "HEIST requires ... the victim to have enabled ... third-party cookies."

        And the inbuilt cookie control settings on most browsers seem to get less and less useful (less flexible / configurable) (As Mark Simon described for Firefox)

        On most browsers I use I have to use cookie controlling plugins for any decent level of fine grained cookie management (e.g. 3rd party cookies "never" is fine most of the time but there are occasions when I want to allow certain specific third party cookies on certain sites only).

    2. Crazy Operations Guy

      Re: "HEIST requires ... the victim to have enabled ... third-party cookies."

      3rd party cookies are required by some websites in order to work. This is more true now that in the past, mostly due to CDNs and the like where user data might be stored on both the primary domain ( as well as ( or My bank does this for their online banking portal where the main website and unencrypted content comes from cloudflare, but the secure data comes from the bank's domain.

  5. Adam 1

    I imagine this can be mitigated if the website specifies a CSP. That would even allow you to report on malvertising campaigns attacking your site as supported browsers report the violations.

    If your not a website developer, you're stuffed because ad blockers and noscript doesn't exist.

  6. Sirius Lee

    Detection is not a one-way street

    Sites can also perform detection. If a site is receiving an abnormal number of requests from an IP address for the same resource within a small amount of time something is not right. An IP address will typically request many resources in a short period of time but usually for the different resources a browser needs to present a page. It's unusual for an IP address to access the same resource more the a few times in a short window of time. A user might refresh a page quickly once or twice but it's not likely they will be be refreshing the page several times even in a few seconds..

    Even our noddy site site performs these tests and blocks the offending IP address at the firewall so they are unable to proceed. We see attacks like this all the time, especially to registration pages, and are usually blocking one or two IP addresses per hour. I like to think that more sophisticated sites perform similar real-time checks if only out of self-interest because such attacks consume resources and capacity.

    1. Paul 129

      Re: Detection is not a one-way street

      I wonder if this slowing down of the attack will prove effective. They may be still able to purloin some sensitive information.

      It may be easier to return forms uncompressed or introduce some random noise into the page. (random hidden text of varying length)

      It sounds like the fix needs to be on the content creators sites, unfortunately

  7. PassiveSmoking

    Malicious ads can potentially masquerade as people

    "Malicious ads can potentially masquerade as people online and grab their personal information from HTTPS-protected websites"

    And this is why I'll never uninstall my ad blocker. I don't block ads because they're annoying (which they surely are), I block them because they're an untrustworthy menace.

  8. Mark Simon

    The worst part …

    is how counter-intuitive it is to disable 3rd party cookies. For Firefox:

    1. Preferences

    2. Privacy

    3. History: Use custom settings for history

    4. Accept third-party cookies: Never

    … what?

  9. Anonymous Coward
    Anonymous Coward

    Here we go again

    Yet another way to fuck up somebodies computer is based on ADS.

    And they seriously wonder why people are so god damn fed up of this SHIT !!!!

    sorry for being so ranty, but I cannot stand the factg so much of our computer use is screwed up just so levi's can try to convince me I need so slide my fat arse into skinny jeans ......

  10. Anonymous Coward
    Anonymous Coward

    Seems like a variation on brute force

    "We want to find out the email address. So first we send and get back, say, 200 bytes of compressed encrypted data. We next send a combination of addresses until we hit and get back 184 bytes"

    So in other words it just guesses at the email address. Presumably it'll have to do the same for any bank account/social security numbers too? Good luck with that. I suspect the bank server will become suspicious at all the failed attempts and lock the account long before the trojan manages to guess anything succesfully.

  11. Anonymous Coward

    The worse thing about this attack?

    Is the desperate acronym. That has to be up there near the top, beating even the US government ones such as USA PATRIOT:

    Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001"

    As well as:

    1. Destroy All Monsters Silver badge

      Re: The worse thing about this attack?


      The next bug will be backronymed to "FREEDOMFRIES"!

  12. Tom 64

    As a client, there is not much you can do.

    But if you are a server op, simply turning off compression on your https connections mitigates this attack.

    This has been a best practice for a while, but as you can imagine there a LOT of sites out there that don't do this, including your regular high-street banks.

    1. Destroy All Monsters Silver badge

      Re: As a client, there is not much you can do.

      Maybe one could simply inject randomness into processing times and response sizes?

      1. Aleksis

        Re: As a client, there is not much you can do.

        Rather than that, why not just add some random strings to each page in HTML comments? If they are varying lengths, the page will be a different size each request.

        1. takno

          Re: As a client, there is not much you can do.

          Unfortunately the timings for just the request are available, meaning that you are looking at entirely client-generated data, a large proportion of which is the cookies.

          You could just throw a new random-noise cookie into every response though, which might work.

        2. MarkItZer0

          Re: As a client, there is not much you can do.

          This makes it more difficult, but not impossible.

          With enough requests made, the randomness will even out over time into an average. Therefore, each reflected value can be repeated a number of times to find out how it averages.

  13. Bucky 2

    The problem isn't ads qua ads. It's ads served from third party servers. The whole concept is stupid and dangerous.

    If you want to run ads, for goodness sake, feel free. But use your own machines to host them, consume your own bandwidth to serve them, and accept responsibility for their contents.

  14. Alistair

    @ Bucky 2

    Your statement has a problem:

    " accept responsibility for their contents."

    Contains a violation of commercial rules.

    The objective is *profit*. Not responsibility.

  15. Herby

    Easy: noscript is your friend

    Yes, noscript is the answer, and it has been for quite some time. If you have any sense, you would install it and keep using it.

    Of course, logging out of your banking (or other sensitive) web site is also a good idea. One must vigilant when it comes to $$$ or other similar sensitive data.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like