- Web Cache Deception attacks are still impacting many popular websites, says new research.
- With several website operators not aware of the impact of the attack, the adoption of mitigation measures seems to be quite slow.
Many websites cache pages that contain user’s personal information. These pages are stored inside the content delivery network (CDN) of the website.
- Anyone who can pass through the login mechanism can access the data on the cached pages.
- Now attackers convince users to access a carefully designed URL. The CDN would store this URL along with the database of cached pages.
- The attacker can access the personal information of the victim by accessing the URL.
These attacks were initially disclosed in early 2017 by security researcher Omer Gil. During this time out of 30 popular websites, only 3 were found to be impacted by this attack.
This attack is not just restricted to web-related files such as CSS or JS. More than 40 file extensions can be targeted by attackers.
The current scenarioResearchers noticed that 25 of the Alexa Top 5,000 websites were impacted by the Web Cache Deception attack.
- Although the number is small, the impacted websites are said to have large user populations.
- According to the researchers, most websites were vulnerable owing to the CDN caching rules being improperly configured.
But it could also be a decentralised web that challenges the dominance of the tech giants by moving us away from relying so heavily on a few companies, technologies and a relatively small amount of internet infrastructure Peer-to-peer technology When we currently access the web, our computers use the HTTP protocol in the form of web addresses to find information stored at a fixed location, usually on a single server.
“One reason for this slow adoption of necessary mitigations could be a lack of user awareness. However, the attention WCD garnered from security news outlets, research communities, official web cache vendor press releases, and even mainstream media also suggests that there may be other contributing factors,” said the research team.
With CDNs offering detail-oriented mechanisms for caching, they must be configured with care to ensure protection from such threats.