Reply to post: Seems like a variation on brute force

How the HTTPS-snooping, email addy and SSN-raiding HEIST JavaScript code works

Anonymous Coward
Anonymous Coward

Seems like a variation on brute force

"We want to find out the email address. So first we send aaa@example.com and get back, say, 200 bytes of compressed encrypted data. We next send a combination of addresses until we hit bob@example.com and get back 184 bytes"

So in other words it just guesses at the email address. Presumably it'll have to do the same for any bank account/social security numbers too? Good luck with that. I suspect the bank server will become suspicious at all the failed attempts and lock the account long before the trojan manages to guess anything succesfully.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon