The new VORACLE attack can recover HTTP traffic sent via VPNs
- VORACLE is a variant and combination of old cryptographic attacks.
- VORACLE only works on Open VPN-based VPN services.
Security experts have discovered a new kind of attack called VORACLE. This new attack method could give cybercriminals the ability to recover HTTP traffic sent via encrypted VPN connections. The attack was discovered by security researcher Ahamed Nafeez who explained how VORACLE works at the Def Con hacking conference last week.
The VORACLE attack is not entirely a new attack, but a variation and a combination of old cryptographic attacks like the CRIME, the TIME and the BREACH attacks. Although fixed for the older attacks were released in 2012 and 2013, VPN services that compress HTTP traffic before encrypting it are still susceptible to the older cryptographic attacks.
VORACLE works on Open VPN-based services
According to Nafeez, VORACLE only works on Open VPN-based services. In the event that an attacker has successfully lured a user to an HTTP site, the attacker could then execute malicious code to steal sensitive information, such as session cookies.
"VORACLE allows an attacker to decrypt secrets from HTTP traffic sent through a VPN," Nafeez told Bleeping Computer. "The aim of the attack is to leak interesting secrets. This can be any cookies, pages with sensitive information, etc.”
VORACLE can be blocked
Fortunately, VORACLE attacks can be prevented. VPN services could allow users to change the VPN protocol, which in turn, would allow users to switch to a non-Open VPN protocol.
Another way to avoid VORACLE attacks would be to steer clear of HTTP websites and switch to HTTPS as HTTPS traffic sent via VPNs is unaffected by VORACLE. Users can also switch to using Chromium-based browsers to stay safe from the attack.
Bleeping Computer reported that Nafeez notified the OpenVPN project and other VPN providers about the VORACLE attack. Following Nafeez’s report, the OpenVPN project has decided to issue a more explicit warning about the risks involved with pre-encryption compression.