A new Facebook engineering blog post highlights how the company is trying to counter the threat of browser reconnaissance and exfiltration via adaptive compression of Hypertex (BREACH) attacks, which security researchers warned about last August.
BREACH attacks can be linked to the security measures an organization might use when dealing with cross-site request forgery (CSRF) attacks, which target websites that have user accounts, according to Chad Parry, a member of Facebook’s security and infrastructure team based in London.
In the case of an CSRF attack, an attacker can impersonate a user and trick the user’s browser to either send spam or steal information in the form of web requests to whatever website a user might have an account with, Parry wrote.
While companies like Facebook could use a CSRF token as a marker that indicates whether the user is real or a hacked account, to prevent an attack, the new BREACH attack has essentially pushed that security measure to the side. In certain circumstances, Parry wrote, the way a web page gets compressed can allow hackers to discover a user’s CSRF token, even if the information being relayed between a user and a website is encrypted.
Essentially, Facebook is countering BREACH attacks by adding an extra layer of security inside CSRF tokens. Here’s a rundown of the technical details behind what Facebook is doing:
A person with three Facebook sessions within a single day would have received an identical CSRF token each time…Now our system replaces the token with a new one every time it is requested…These new tokens are generated by introducing a random 24-bit salt. The salt is the last 4 letters at the end of the token and is also included within the hash, which eliminates all repetition anywhere in the token. After a new token is issued, the previous tokens still remain valid for a couple days, resulting in multiple tokens being permissible simultaneously.
As Parry noted, the introduction of the random sequence of characters into the CSRF token is enough to foil the BREACH attacks, which require repetition to do their dirty work.