A critical HTTP/1.1 flaw threatens over 24 million websites, enabling attackers to hijack accounts, steal sensitive data, and plant malicious code. The vulnerability hides in backend systems still using HTTP/1.1, even when front-end services appear modern and secure.
How the flaw works
HTTP/1.1 contains ambiguous request boundaries, which attackers exploit in request smuggling or “desync” attacks. These exploits let malicious payloads slip past security layers. Even sites using content delivery networks or reverse proxies, such as Cloudflare or Akamai, can be affected if upstream servers default to HTTP/1.1.
When exploited, the flaw allows attackers to manipulate user sessions, inject harmful scripts, and poison caches. This can result in stolen passwords, exposed credit card details, or random logins into other users’ accounts.
Research findings
The vulnerability was highlighted by security researcher James Kettle from PortSwigger during talks at Black Hat and DEF CON. His work revealed that many infrastructure setups unknowingly revert to HTTP/1.1 behind the scenes. Kettle’s findings earned significant bug bounties and increased calls to phase out HTTP/1.1 in favor of HTTP/2.
Impact on global web security
With millions of sites exposed, the risk extends to major platforms and smaller businesses alike. Attackers can compromise accounts, steal customer data, and inject malware into legitimate web traffic. The widespread reliance on outdated protocols leaves the internet vulnerable to mass exploitation.
Recommended mitigations
Experts advise using HTTP/2 for all upstream connections to eliminate the protocol downgrade risk. Strict request validation should be enforced to detect smuggling attempts. Disabling request reuse can further limit attack vectors. Administrators can also use the open-source HTTP Request Smuggler v3.0 to test systems for vulnerabilities.
Conclusion
The HTTP/1.1 flaw is a hidden threat affecting millions of websites worldwide. Without proactive upgrades and thorough security testing, attackers can exploit this weakness for large-scale account takeovers and data theft. Moving to HTTP/2 and applying strict validation offers the most effective defense.
0 responses to “HTTP/1.1 flaw leaves 24M sites exposed”