HTTP Request Hijacking Flaw Leaves Mobile Users at Risk

A new type of flaw is discovered that could be leading mobile users down the path to ruin.

Security researchers from mobile security firm Skycure today revealed details on a new type of mobile threat that potentially puts millions of users at risk of being exploited. The new threat, called HTTP Request Hijacking (HRH), could be responsible for redirecting mobile users to malicious Websites.

The HRH flaw is particularly dangerous because countless numbers of existing mobile applications are already vulnerable, Skycure Chief Technology Officer and co-founder Yair Amit explained to eWEEK. The flaw involves a persistent caching feature in code running on mobile operating systems, in particular Apple's iOS.

The way the HRH flaw works is a user using a public WiFi network is targeted by a hacker using a man-in-the-middle (MiTM) attack. In an MiTM attack, an attacker intercepts the user's WiFi connection and then inserts a 301 redirect code, which is an HTTP response code that permanently redirects traffic to a different address.

The HRH flaw isn't the MiTM attack itself, which is enabled by having an open, unencrypted WiFi access point. The flaw lies with the 301 redirect. Amit noted that the way Apple iOS works is that the 301 redirect is cached by the application on the mobile operating system. As such, even after the user has disconnected from the open access point and has connected at a secured home or office access point, the connection for a specific site could still be redirected.

Amit noted that the code that enables the persistence of the 301 redirect is common across countless mobile applications, which means that users are already potentially at risk.

The Fix

One of the ways users can protect themselves from being the victim of an HRH attack is by using Secure Sockets Layer (SSL) encrypted Websites. An SSL Website, when properly configured, is not easily redirected. An SSL certificate that is issued by a Certificate Authority (CA) can be checked via the browser or operating system when visiting a site to ensure authenticity.

At a coding level, there is code that application developers can insert into their application to protect apps and their users. Amit said developers just need to create a code object that prevents the application from caching 301 redirects.

"By not caching the 301 redirects, users are no longer at risk," he said.

In the spirit of full-disclosure, Amit said his company contacted Apple about the flaw. That said, he stressed that the issue is a coding issue and not a flaw inside the actual mobile operating system.

"This is something that developers should be aware of and fix," Amit said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.