UploadLanguage (EN)Support
BusinessMobileSocial MediaMarketingTechnologyArt & PhotosCareerDesignEducationPresentations & Public SpeakingGovernment & NonprofitHealthcareInternetLawLeadership & ManagementAutomotiveEngineeringSoftwareRecruiting & HRRetailSalesServicesScienceSmall Business & EntrepreneurshipFoodEnvironmentEconomy & FinanceData & AnalyticsInvestor RelationsSportsSpiritualNews & PoliticsTravelSelf ImprovementReal EstateEntertainment & HumorHealth & MedicineDevices & HardwareLifestyle
Upload
Sign in
Lacoon Mobile Security, profile picture
Uploaded byLacoon Mobile Security
1,799 views

"Bleeding-In-The-Browser" - Why reverse Heartbleed risk is dangerous to the Enterprise

The document outlines the 'bleeding-in-the-browser' attack scenario where an attacker uses phishing emails to lure victims into accessing a malicious HTML page that exploits the Heartbleed vulnerability to capture sensitive data from their browser. The attack operates by opening a hidden tab that logs user credentials while refreshing regularly to extract data from the Android browser heap. To protect against such attacks, the document suggests mapping risks, enabling two-factor authentication, and utilizing specific tracking tools for mobile vulnerabilities.

Technology
Related topics:
Social EngineeringMobile Security Insights
1 / 7
2 / 7
3 / 7
4 / 7
5 / 7
6 / 7
7 / 7
Bleeding-In-The-Browser -  Attack flow scenario – Illustration of how an attacker can steal your Enterprise data -  Tips for protecting your Enterprise data from Bleeding-in-the-Browser / client-side Heartbleed 1
Tab 1 2 Victim receives an email that convinces them to access the targeted service (e.g. Facebook, Gmail, SalesForce, etc). Unknowingly, the fake URL opens a new tab in the browser and directs the user to an HTML file on a server containing the the Heartbleed client exploit script. Bleeding-in-the-Browser Attack Flow The HTML page refreshes every few seconds allowing the attack to capture data from the Android browser heap every few seconds (this time gap changes frequently) The HTML exploit will seamlessly open the target service in another tab so they are unaware of the malicious tab that is open in the background, logging the user to a HTTPS protected service (e.g. Facebook, Gmail, SalesForce, etc). During the login process, the malicious tab will refresh and cause additional data to arrive from the client's Android browser heap. 1 The attacker can now begin to extract data such as cookies, username, passwords and other credentials. 2 3 4 5 Phishing email Link
Tab 1 3 Victim receives an email that convinces them to access the targeted service (e.g. Facebook, Gmail, SalesForce, etc). Unknowingly, the fake URL opens a new tab in the browser and directs the user to an HTML file on a server containing the the Heartbleed client exploit script. Bleeding-in-the-Browser Attack Flow The HTML page refreshes every few seconds allowing the attack to capture data from the Android browser heap every few seconds (this time gap changes frequently) The HTML exploit will seamlessly open the target service in another tab so they are unaware of the malicious tab that is open in the background, logging the user to a HTTPS protected service (e.g. Facebook, Gmail, SalesForce, etc). During the login process, the malicious tab will refresh and cause additional data to arrive from the client's Android browser heap. 1 The attacker can now begin to extract data such as cookies, username, passwords and other credentials. 2 3 4 5 Phishing email Link
Tab 1 4 Victim receives an email that convinces them to access the targeted service (e.g. Facebook, Gmail, SalesForce, etc). Unknowingly, the fake URL opens a new tab in the browser and directs the user to an HTML file on a server containing the the Heartbleed client exploit script. Bleeding-in-the-Browser Attack Flow The HTML page refreshes every few seconds allowing the attack to capture data from the Android browser heap every few seconds (this time gap changes frequently) The HTML exploit will seamlessly open the target service in another tab so they are unaware of the malicious tab that is open in the background, logging the user to a HTTPS protected service (e.g. Facebook, Gmail, SalesForce, etc). During the login process, the malicious tab will refresh and cause additional data to arrive from the client's Android browser heap. 1 The attacker can now begin to extract data such as cookies, username, passwords and other credentials. 2 3 4 5 Phishing email Link Tab 1 Tab 2
Tab 1 5 Victim receives an email that convinces them to access the targeted service (e.g. Facebook, Gmail, SalesForce, etc). Unknowingly, the fake URL opens a new tab in the browser and directs the user to an HTML file on a server containing the the Heartbleed client exploit script. Bleeding-in-the-Browser Attack Flow The HTML page refreshes every few seconds allowing the attack to capture data from the Android browser heap every few seconds (this time gap changes frequently) The HTML exploit will seamlessly open the target service in another tab so they are unaware of the malicious tab that is open in the background, logging the user to a HTTPS protected service (e.g. Facebook, Gmail, SalesForce, etc). During the login process, the malicious tab will refresh and cause additional data to arrive from the client's Android browser heap. 1 The attacker can now begin to extract data such as cookies, username, passwords and other credentials. 2 3 4 5 Phishing email Link Tab 1 Tab 2
Tab 1 6 Victim receives an email that convinces them to access the targeted service (e.g. Facebook, Gmail, SalesForce, etc). Unknowingly, the fake URL opens a new tab in the browser and directs the user to an HTML file on a server containing the the Heartbleed client exploit script. Bleeding in the Browser Attack Flow The HTML page refreshes every few seconds allowing the attack to capture data from the Android browser heap every few seconds (this time gap changes frequently) The HTML exploit will seamlessly open the target service in another tab so they are unaware of the malicious tab that is open in the background, logging the user to a HTTPS protected service (e.g. Facebook, Gmail, SalesForce, etc). During the login process, the malicious tab will refresh and cause additional data to arrive from the client's Android browser heap. 1 The attacker can now begin to extract data such as cookies, username, passwords and other credentials. 2 3 4 5 Phishing email Link Tab 1 Tab 2
7 Protect Your Enterprise Data from Bleeding-in-the-Browser We Advise our Enterprise Customers to: §  Map the risk across your enterprise’s mobile devices and identify vulnerable devices. An on-line Heartbleed mobile device tester is available here: http://www.lacoon.com/?p=7998 For a free enterprise account, contact us at info@lacoon.com §  If you’ve identified vulnerable devices, enable two-factor authentication on critical services as SalesForce, Google Apps, Office365, etc. §  Use Lacoon MobileFortress to track the vulnerability status in your mobile environment and provide on-demand exploit mitigation.