This Bleeding-In-The-Browser attack scenario is a highly common scenario that exploits an Android 4.1.1 mobile browser to steal credentials and session cookies using reverse Heartbleed. This presentation illustrates how easily an attacker can steal your Enterprise data with social engineering techniques as well as tips for
protecting your Enterprise data from Bleeding-in-the-Browser / client-side Heartbleed.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
"Bleeding-In-The-Browser" - Why reverse Heartbleed risk is dangerous to the Enterprise
1. Bleeding-In-The-Browser
- Attack flow scenario – Illustration of how an attacker can
steal your Enterprise data
- Tips for protecting your Enterprise data from
Bleeding-in-the-Browser / client-side Heartbleed
1
2. Tab 1
2
Victim receives an
email that convinces
them to access the
targeted service (e.g.
Facebook, Gmail,
SalesForce, etc).
Unknowingly, the fake
URL opens a new tab
in the browser and
directs the user to an
HTML file on a server
containing the the
Heartbleed client
exploit script.
Bleeding-in-the-Browser Attack Flow
The HTML page
refreshes every few
seconds allowing the
attack to capture data
from the Android
browser heap every
few seconds (this time
gap changes
frequently)
The HTML exploit will
seamlessly open the
target service in
another tab so they
are unaware of the
malicious tab that is
open in the
background, logging
the user to a HTTPS
protected service (e.g.
Facebook, Gmail,
SalesForce, etc).
During the login
process, the malicious
tab will refresh and
cause additional data
to arrive from the
client's Android
browser heap.
1
The attacker can now
begin to extract data
such as cookies,
username, passwords
and other credentials.
2 3 4 5
Phishing
email
Link
3. Tab 1
3
Victim receives an
email that convinces
them to access the
targeted service (e.g.
Facebook, Gmail,
SalesForce, etc).
Unknowingly, the fake
URL opens a new tab
in the browser and
directs the user to an
HTML file on a server
containing the the
Heartbleed client
exploit script.
Bleeding-in-the-Browser Attack Flow
The HTML page
refreshes every few
seconds allowing the
attack to capture data
from the Android
browser heap every
few seconds (this time
gap changes
frequently)
The HTML exploit will
seamlessly open the
target service in
another tab so they
are unaware of the
malicious tab that is
open in the
background, logging
the user to a HTTPS
protected service (e.g.
Facebook, Gmail,
SalesForce, etc).
During the login
process, the malicious
tab will refresh and
cause additional data
to arrive from the
client's Android
browser heap.
1
The attacker can now
begin to extract data
such as cookies,
username, passwords
and other credentials.
2 3 4 5
Phishing
email
Link
4. Tab 1
4
Victim receives an
email that convinces
them to access the
targeted service (e.g.
Facebook, Gmail,
SalesForce, etc).
Unknowingly, the fake
URL opens a new tab
in the browser and
directs the user to an
HTML file on a server
containing the the
Heartbleed client
exploit script.
Bleeding-in-the-Browser Attack Flow
The HTML page
refreshes every few
seconds allowing the
attack to capture data
from the Android
browser heap every
few seconds (this time
gap changes
frequently)
The HTML exploit will
seamlessly open the
target service in
another tab so they
are unaware of the
malicious tab that is
open in the
background, logging
the user to a HTTPS
protected service (e.g.
Facebook, Gmail,
SalesForce, etc).
During the login
process, the malicious
tab will refresh and
cause additional data
to arrive from the
client's Android
browser heap.
1
The attacker can now
begin to extract data
such as cookies,
username, passwords
and other credentials.
2 3 4 5
Phishing
email
Link
Tab 1
Tab 2
5. Tab 1
5
Victim receives an
email that convinces
them to access the
targeted service (e.g.
Facebook, Gmail,
SalesForce, etc).
Unknowingly, the fake
URL opens a new tab
in the browser and
directs the user to an
HTML file on a server
containing the the
Heartbleed client
exploit script.
Bleeding-in-the-Browser Attack Flow
The HTML page
refreshes every few
seconds allowing the
attack to capture data
from the Android
browser heap every
few seconds (this time
gap changes
frequently)
The HTML exploit will
seamlessly open the
target service in
another tab so they
are unaware of the
malicious tab that is
open in the
background, logging
the user to a HTTPS
protected service (e.g.
Facebook, Gmail,
SalesForce, etc).
During the login
process, the malicious
tab will refresh and
cause additional data
to arrive from the
client's Android
browser heap.
1
The attacker can now
begin to extract data
such as cookies,
username, passwords
and other credentials.
2 3 4 5
Phishing
email
Link
Tab 1
Tab 2
6. Tab 1
6
Victim receives an
email that convinces
them to access the
targeted service (e.g.
Facebook, Gmail,
SalesForce, etc).
Unknowingly, the fake
URL opens a new tab
in the browser and
directs the user to an
HTML file on a server
containing the the
Heartbleed client
exploit script.
Bleeding in the Browser Attack Flow
The HTML page
refreshes every few
seconds allowing the
attack to capture data
from the Android
browser heap every
few seconds (this time
gap changes
frequently)
The HTML exploit will
seamlessly open the
target service in
another tab so they
are unaware of the
malicious tab that is
open in the
background, logging
the user to a HTTPS
protected service (e.g.
Facebook, Gmail,
SalesForce, etc).
During the login
process, the malicious
tab will refresh and
cause additional data
to arrive from the
client's Android
browser heap.
1
The attacker can now
begin to extract data
such as cookies,
username, passwords
and other credentials.
2 3 4 5
Phishing
email
Link
Tab 1
Tab 2
7. 7
Protect Your Enterprise Data from Bleeding-in-the-Browser
We Advise our Enterprise Customers to:
§ Map the risk across your enterprise’s mobile devices and identify
vulnerable devices. An on-line Heartbleed mobile device tester is
available here: http://www.lacoon.com/?p=7998 For a free enterprise
account, contact us at info@lacoon.com
§ If you’ve identified vulnerable devices, enable two-factor authentication
on critical services as SalesForce, Google Apps, Office365, etc.
§ Use Lacoon MobileFortress to track the vulnerability status in your
mobile environment and provide on-demand exploit mitigation.