Won the Championship of GeekPwn2019
On October 24, at the GeekPwn 2019 International Security Geek Competition held in Shanghai, we successfully hijacked the QR code of the HTTPS website in the same local area network and hijacked the mailbox to obtain the mailbox password. With the “Most Familiar Strangers: A New Type of HTTPS Hijacking Technology” project, our team successfully won the first place in this competition and was once again selected into the GeekPwn Hall of Fame.
The HTTPS protocol is one of the most important basic protocols of the Internet. It can even be said that the HTTPS protocol is the foundation that supports the secure network communication of the Internet. Therefore, its security issues have long attracted the attention of academia and industry. The flaws in the basic HTTPS-related protocols we disclosed this time have confirmed to affect many well-known domestic and foreign manufacturers. Unlike the traditional HTTPS hijacking attack principle, the hijacking technology disclosed this time can be attacked without the cooperation of the HTTP plaintext protocol. Even if the target website visited by the user deploys HTTPS best practices, the attacker can still hijack and tamper with the user and the website. Encrypted communication between websites can lead to serious consequences such as website payment hijacking and download file replacement.
- Our work has been accepted by CCS 2020：Talking with Familiar Strangers: An Empirical Study on HTTPS Context Confusion Attacks