Truncating TLS Connections to Violate Beliefs in Web Applications

Ben Smyth & Alfredo Pironti (2015) Truncating TLS Connections to Violate Beliefs in Web Applications. INRIA Technical Report hal-01102013.



We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts.

Update (October 18, 2014). This technical report revisits our earlier work (2013) and shows that Google remain vulnerable to the attacks that we disclosed.

Acknowledgement from Google and Microsoft

Our contribution has been acknowledged in Google's Hall of Fame and Microsoft's Security Researcher Acknowledgements.

Media coverage

This article has been discussed by The Register (local cache) and Spiegel Online (local cache).

Talk and video demonstrations

Our Black Hat talk and videos demonstrating our attacks against Google, Helios and Microsoft are available on YouTube:

Bibtex Entry

	author = "Ben Smyth and Alfredo Pironti",
	title = "{Truncating TLS Connections to Violate Beliefs in Web Applications}",
	year = "2015",
	number = "hal-01102013",
	institution = "INRIA",