XML Encryption Flaw Leaves E-Commerce Exposed

An update is the only way of curing the vulnerability

Recent studies revealed that the XML encryption used by IBM and Microsoft in web service applications presents certain vulnerabilities that would allow someone to intercept and decrypt the data transmitted between online servers.

According to H Security, researchers at the Ruhr University of Bochum (RUB) in Germany, the ones that made the discovery, plan on publishing the details of their work at an upcoming security conference in Chicago.

The experts, Juraj Somorovsky and Tibor Jager, concluded that e-commerce, public administration and financial institutions are exposed after they managed to crack parts of the encryption.

To accomplish their task, they sent encrypted data containing a modified cipher text to a server. After they've intercepted the packet in the cipher block chaining (CBC) mode and changed its initialization vector, they were able to determine content of the encrypted text.

The process seems to be working only when AES encryption is utilized in the CBC mode, so if an RSA key or X.509 certificates are used for the codification, the attack concept is not effective.

Since the attack was successful in most of the situations they've tested, they concluded that the current standard, the one governed by a W3C recommendation, is not safe any more.

Unfortunately, there seems to be no cure for the flaw, the researchers strongly recommending that the standard's technical specifications must be updated accordingly.

The World Wide Web Consortium (W3C), also known as the main international standards organization for WWW, is in charge of formulating technical requirements and guidelines for technologies such as HTML, XHTML or XML. Until now they've accomplished their task well, but now it seems they will have to revise some things in order to keep the online environment a safe place.

Hopefully, those who can mitigate the issue will quickly act on this to avoid any unfortunate situations that might affect individuals and businesses alike.

Hot right now  ·  Latest news