Over 1,600 Domains Discovered in Superfish-Komodia MitM Attacks Using Invalid HTTPS Security Certificates

Posted on March 26, 2015 by .

Share and Enjoy:
Follow Me on Pinterest More More

The browser add-on known as Superfish has caused a major uproar considering how it was found to be rather malicious, and a piece of software pre-loaded on certain Lenovo notebook computers from the factory last year. Just a while ago, Superfish was found to be used as a gateway for cybercrooks to intercept traffic from the Komodia engine built into Superfish for various malicious purposes.

The secure communications initiated by Superfish and its components was supposed to be only between the host and client computer. However, in the scheme of what cybercrooks want to do, they may be able to intercept those communications within Superfish and its Komodia software’s certificates to gather data transmitted over what is supposed to be a secure HTTPS connection.

So far, there have been over 1,600 cases where Komodia failed to reject invalid certificates presented by HTTPS websites. This discovery was made by security researchers at Electronic Frontier Foundation (EFF). The issue within HTTPS certificates is that Komodia would re-sign an invalid certificate making it recognized as a legitimate certificate. Though such a move would trigger a flag within web browsers, the scheme may allow validation of more than one website, thus allowing the transmitted data to be compromised.

Alternative domains may be another way for cybercriminals to bypass the alerts or road blocks in motion due to web browsers detecting something “fishy” with the certificates due to Superfish and Komodia. In such a case, the main domain is the one that is flagged while an alternative domain is loaded, and its transmitted data can be intercepted.

Researchers at EFF also explained that high profile domains may be affected where data from the Decentralized SSL Observatory uncovered this information. Among the high-profile sites affected, there they found Amazon, Google, Yahoo, Twitter, eBay and several other banking sites. Even though these sites were unlikely to have invalid certificates, Komodia may have enabled Man in the Middle (MitM) attacks. A MitM attack would give the attackers access to email accounts, social media accounts, banking accounts and even internet search histories of many of the high-profile sites.

Through the use of MitM attacks at the aid of Komodia and Superfish, injected advertisements could be used on high-profile sites or compromised accounts may be used for compromising encryption keys.

Popularity: 4%

Leave a Reply

To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word