Dubbed CRIME by the researchers Juliano Rizzo and Thai Duong, the attack supposedly works similarly to the BEAST attack, and will be presented for the first time to the public during the ekoparty Security conference which is to be held in Argentina later this month.
Without wanting to reveal much about the soon-to be unveiled attack, the researchers shared that the feature in question leaks information that can be used to decrypt user cookies, extract the login information contained in them and hijack their sessions.
This new attack is more effective than the BEAST, as the latter affected only TLS 1.0 and SSL 3.0 and could be foiled by simply switching to other versions of the standard and from using the AES algorithm to employing the RC4 one.
The CRIME, unfortunately, affects all SSL/TLS versions and both Firefox and Chrome are vulnerable to the attack, although the researchers have notified Mozilla and Google about the flaw and patches are expected to be released in the next few weeks.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.