This post is also available in:
עברית (Hebrew)
A critical vulnerability in secure web gateway (SWG) systems has been revealed by SquareX researchers, potentially exposing any business, organization, or individual to “last mile reassembly” attacks. These attacks can enable malicious actors to deploy malware on a device, circumventing existing security measures.
As cyber threats become more pervasive, businesses increasingly rely on SWG vendors—such as Cloudflare, Cisco, Palo Alto, and Fortinet—to ensure that employees and users do not inadvertently download malicious files. These SWGs are designed to scan all incoming and outgoing traffic, analyzing data in real time to block threats before they reach the device. However, Vivek Ramachandran, cybersecurity expert and founder of SquareX, has identified a fundamental flaw in SWG functionality that could undermine their effectiveness.
Ramachandran explained that traditional SWGs detect threats by monitoring file downloads. The issue arises when the threat is not recognized as a file download. “The trigger for an SWG to work is a file download,” Ramachandran said in an interview with Cybernews. “So, what if we could completely kill that chain where the SWG doesn’t even know a file is being downloaded?” To illustrate, he compared the issue to smuggling a weapon by breaking it into parts. If each part is smuggled separately, security is less likely to detect the complete weapon. Similarly, attackers can exploit SWG vulnerabilities by breaking down malicious content into components that do not trigger the SWG’s defenses.
SquareX researchers have discovered 25 different ways to bypass SWG protections from major providers. Remarkably, these vulnerabilities can be exploited via any popular web browser, according to Cybernews. The core issue is that while SWGs can analyze traffic, they cannot see activities occurring within the browser, a blind spot that SquareX has effectively exploited.
Ramachandran noted that detecting these last mile reassembly attacks would require sending synchronized browser states back to the cloud, a solution impractical at scale, as it would require changing SWG’s business model and raising their price drastically.
Despite the complexity of executing last-mile reassembly attacks, it is possible that now, individuals who are far less skilled are able to exploit them due to advancements in large language models (LLMs) like ChatGPT. Ramachandran shared that his team tested this by assigning an intern to develop an exploit using LLMs. Remarkably, the intern succeeded in creating an exploit with minimal coding expertise.
Ramachandran warned that because SWG protection has become a standard in the industry, many companies are taking it for granted, unaware of the vulnerabilities it may have, which is worrisome.
