Web Cache Deception Attacks are Still Around, Says New Research

• Web Cache Deception attacks are still impacting many popular websites, says new research.
• With several website operators not aware of the impact of the attack, the adoption of mitigation measures seems to be quite slow.

But first, what is a Web Cache Deception attack?

Many websites cache pages that contain user’s personal information. These pages are stored inside the content delivery network (CDN) of the website.

• Anyone who can pass through the login mechanism can access the data on the cached pages.
• Now attackers convince users to access a carefully designed URL. The CDN would store this URL along with the database of cached pages.
• The attacker can access the personal information of the victim by accessing the URL.

These attacks were initially disclosed in early 2017 by security researcher Omer Gil. During this time out of 30 popular websites, only 3 were found to be impacted by this attack.

This attack is not just restricted to web-related files such as CSS or JS. More than 40 file extensions can be targeted by attackers.

The current scenario

Researchers noticed that 25 of the Alexa Top 5,000 websites were impacted by the Web Cache Deception attack.

• Although the number is small, the impacted websites are said to have large user populations.
• According to the researchers, most websites were vulnerable owing to the CDN caching rules being improperly configured.

“One reason for this slow adoption of necessary mitigations could be a lack of user awareness. However, the attention WCD garnered from security news outlets, research communities, official web cache vendor press releases, and even mainstream media also suggests that there may be other contributing factors,” said the research team.

With CDNs offering detail-oriented mechanisms for caching, they must be configured with care to ensure protection from such threats.