HTTP and the nightmare: Getting the username + password of a wordpress account

Posted on Updated on

When it comes to digital systems, the security has always been neglected and is considered an add-on feature. People (developers/engineers/scientists) are always developing hardware and software without thinking about security, which ultimately leads to a disaster.

Abstract
Today, I’m going to demonstrate the drawback of using HTTP.  I will show you how a person sitting on a different computer can get your username and password. I’ll be using bolobhi.org admin’s page for this purpose. However, this attack is successful for any website that is using HTTP not HTTPS.

What is a protocol: The HTTP ?
Before I move on to HTTP, let me try to explain what is a protocol. Protocol in simple words is an algorithm, method of doing a certain task. In protocol set rules are being defined which helps a computer to perform the desired task.

The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web. (source: wikipedia)

Keeping things simple, all the web browsing you do i.e loading your facebook, twitter, soundcloud or any other website using a web browser uses the Hypertext Transfer Protocol (HTTP). HTTP came back in 90’s and at that time connecting or loading web pages was the main goal. All the HTTP communication is in simple plain text, no encryption schemes are applied. Which means that a person can read and understand the information of HTTP.

Practical Example: HTTP and the nightmare
Lets say that you have an account in United Bank Limited (UBL) and for your convenience you have activated the UBL Online banking. In online banking, bank provides a website where you enter your username and password to access the account and perform various activities e.g transferring your money to someone’s account etc. Now lets consider that UBL is using HTTP, what can happen ? Yes, an adversary can get your username + password as HTTP communication has no encryption scheme. And can transfer your money to his account etc.  No one wants this to happen.

Magic wand: The HTTPS
Keeping in view of above attack HTTPS was designed, HTTPS is very similar to HTTP, however the HTTPS uses encryption scheme to protect its content. That means that an adversary can get the HTTPS data but he cannot extract the useful information (username + password) out of it.

Platform: Windows 7 (the attacker’s computer), Windows XP (the victim’s computer)
Software:
Cain & Abel, Wireshark, A web browser (firefox was used)

Assumptions:
Both the attacker and victim must be residing in the same local area network for this attack to be successful.

It’s demo time:
1. Victim is using Windows XP’s based system, having an IP address of ” 192.168.0.110 “.https_7

2. Attacker is using Windows 7 and have two software installed on his system i.e Cain & Abel for performing man in the middle attack and Wireshark to capture the HTTP information. Attacker’s IP is ” 192.168.0.100 “.https_13

3. As usual the victim is doing normal browsing and at some point decides to log in to his website. For this example lets say our victim is the famous activist Sana Saleem, who is trying to update her website bolobhi.org. Sana enters her username + password and presses enter to log in. https_11

4. As attacker has performed man in the middle attack therefore, he would be able to get Sana’s critical infromation without her consent. Below is a screenshot of attacker’s computer running Wireshark, a software to capture network traffic. Attacker was successful to get the username and password of the victim. Details are username: “sanasaleem@bolobhi.org” and password: “secretPassword”.https_12

Conclusion:
The demonstration shows that HTTP isn’t secure and one should avoid using HTTP for providing critical information. The solution is to use HTTPS. Almost all banks and email service providers (gmail, outlook, ymail etc) use HTTPS instead of HTTP. There is only one con of using HTTPS, the computational overhead, in other words it may require more time to load.

I hope this article makes you HTTP/HTTPS aware. Try preferring HTTPS over HTTP as much as possible. Feel free to ask me questions.

Note:
1. Please note that this was not a tutorial that’s why I haven’t provided you how to perform man in the middle attack and how to capture the packets.
2. The username + password were not real so, don’t be a dumb by trying that combination.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s