Side Channel Attacks against SaaS

The Register highlights a paper from Microsoft Research and Indiana University on information leakage from popular SaaS applications. Interestingly, the attacks work even when only HTTPs is used and are most effective when the application is relatively sophisticated and uses modern development techniques.

The attack is based on observing the size of packets between a user and an application and subsequently deducing the content. Although this initially sounds rather far fetched, AJAX technology means data transfer has “low entropy” making it far easier to guess the content that for a more basic application. “AJAX (shorthand for asynchronous JavaScript and XML) is a group of interrelated web development techniques used on the client-side to create interactive web applications. With AJAX, web applications can retrieve data from the server asynchronously in the background without interfering with the display and behaviour of the existing page.” * To put this in layman terms, AJAX allows the user and application to efficiently transfer data without the overhead of display and formatting information. It is subsequently much easier to determine the packet content by observing its length as there is less “noise” in the transmission.

The paper gives an example of determining a victim’s gross income by observing packets from an online tax preparation site.

What risk does this pose to everyday users of SaaS type applications? In the main, risk is probably very low as an attacker first needs to invest considerable time in profiling an application. They then need to be able to capture the traffic of the target at the right time. Information leakage, although highly dependant on the application, is unlikely to include specific data such as password or other fields that are not selected from a list. In the real world, an attack would need to be targeted against a specific user or group to have a chance of being effective.

In the list of things you need to worry about for internet security, this kind of attack is fairly low on the list. Of course this may change as exploit techniques develop and so is well worth keeping an eye on.

*Wikipedia