Man in the Middle (MITM) Attack

Learn About Man-in-the-Middle Attacks, Vulnerabilities, and How to Prevent MITM Attacks

There are many types of security threats that attackers can use to exploit insecure applications. Threat actors can run some of these attacks using automated software, while others require a more active role from attackers. In this tutorial, we will explain the basic idea behind a man-in-the-middle (MITM) attack, providing examples and mitigation techniques.

What Is a Man-in-the-Middle Attack?

A man-in-the-middle attack is a type of eavesdropping attack, where attackers interrupt an existing conversation or data transfer. After inserting themselves in the "middle" of the transfer, the attackers pretend to be both legitimate participants. This enables an attacker to intercept information and data from either party while also sending malicious links or other information to both legitimate participants in a way that might not be detected until it is too late.

You can think of this type of attack as similar to the game of telephone where one person's words are carried along from participant to participant until it has changed by the time it reaches the final person. In a man-in-the-middle attack, the middle participant manipulates the conversation unknown to either of the two legitimate participants, acting to retrieve confidential information and otherwise cause damage.

Common abbreviations for a man-in-the-middle attack including MITM, MitM, MiM, and MIM.

Key Concepts of a Man-in-the-Middle Attack

Man-in-the-middle attacks:

  • Are a type of session hijacking
  • Involve attackers inserting themselves as relays or proxies in an ongoing, legitimate conversation or data transfer
  • Exploit the real-time nature of conversations and data transfers to go undetected
  • Allow attackers to intercept confidential data
  • Allow attackers to insert malicious data and links in a way indistinguishable from legitimate data

To learn more about software security, including man-in-the-middle attacks and other vulnerabilities, download our free State of Software Security Report

State of Software Security 2023

Read the Report

Examples of MITM Attacks

Although the central concept of intercepting an ongoing transfer remains the same, there are several different ways attackers can implement a man-in-the-middle attack.

What Is a Man-in-the-Middle Attack?

Scenario 1: Intercepting Data

  1. The attacker installs a packet sniffer to analyze network traffic for insecure communications.
  2. When a user logs in to a site, the attacker retrieves their user information and redirects them to a fake site that mimics the real one.
  3. The attacker's fake site gathers data from the user, which the attacker can then use on the real site to access the target's information.

In this scenario, an attacker intercepts a data transfer between a client and server. By tricking the client into believing it is still communicating with the server and the server into believing it is still receiving information from the client, the attacker is able to intercept data from both as well as inject their own false information into any future transfers.

Scenario 2: Gaining Access to Funds

  1. The attacker sets up a fake chat service that mimics that of a well-known bank.
  2. Using knowledge gained from the data intercepted in the first scenario, the attacker pretends to be the bank and starts a chat with the target.
  3. The attacker then starts a chat on the real bank site, pretending to be the target and passing along the needed information to gain access to the target's account.

In this scenario, the attacker intercepts a conversation, passing along parts of the discussion to both legitimate participants.

Man-in-the-Middle Attack Example

Real-World MITM Attacks

In 2011, Dutch registrar site DigiNotar was breached, which enabled a threat actor to gain access to 500 certificates for websites like Google, Skype, and others. Access to these certificates allowed the attacker to pose as legitimate websites in a MITM attack, stealing users' data after tricking them into entering passwords on malicious mirror sites. DigiNotar ultimately filed for bankruptcy as a result of the breach.

In 2017, credit score company Equifax removed its apps from Google and Apple after a breach resulted in the leak of personal data. A researcher found that the app did not consistently use HTTPS, allowing attackers to intercept data as users accessed their accounts.

Interactions Susceptible to MITM Attacks

Any improperly secured interaction between two parties, whether it's a data transfer between a client and server or a communication between two individuals over an internet messaging system, can be targeted by man-in-the-middle attacks. Logins and authentication at financial sites, connections that should be secured by public or private keys, and any other situation where an ongoing transaction could grant an attacker access to confidential information are all susceptible.

For more about application security, read our DevSecOps Playbook.

Secure Devops Survival Guide

Get the Guide

Other Forms of Session Hijacking

Man-in-the-middle attacks are only one form of session hijacking. Others include:

  • Sniffing - An attacker uses software to intercept (or "sniff") data being sent to or from your device.
  • Sidejacking - An attacker sniffs data packets to steal session cookies from your device, allowing them to hijack a user session if they find unencrypted login information.
  • Evil Twin - An attacker duplicates a legitimate Wi-Fi network, enabling them to intercept data from users who believe they are signing on to the real network.

Strengthen Your Application Security with Veracode's Cloud-Based Platform

One way to reduce the harm caused by session hijacking and other attacks is to embrace a secure software development life cycle. Techniques such as static code analysis and manual penetration testing can detect security flaws in applications before they can be exploited. Veracode's cloud-based platform is designed to help developers learn secure coding best practices. Contact us today to schedule a demo and check out our services.

Veracode Dynamic Analysis

Secure web applications at scale by performing authenticated and unauthenticated scanning all from a single product.

See a Demo