Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Communications IT

Point-and-Click Gmail Hacking Shown at Black Hat 260

not5150 writes "Using Gmail or most other webmail programs over an unsecured access point just got a bit more dangerous. At Black Hat Robert Graham, CEO of errata security, showed how to capture and clone session cookies very quickly over connections without encryption. He even hijacked a shocked attendee's Gmail account in the middle of his presentation. 'While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google. Graham then clicked on Ou's IP address and Gmail page, complete with Ou's recently sent message on the screen. We photographed both Graham's and Ou's laptop at that time and posted it to the picture gallery. You'll see that the contents are exactly the same.'"
This discussion has been archived. No new comments can be posted.

Point-and-Click Gmail Hacking Shown at Black Hat

Comments Filter:
  • Slow News day? (Score:5, Insightful)

    by OverlordQ ( 264228 ) on Friday August 03, 2007 @10:15AM (#20100753) Journal
    Somebody intercepted plaintext on an open network . . . . did I miss something?
    • Re: (Score:2, Interesting)

      The funny thing is, gmail offers the ability to sign-in securely, but not an option to keep it SSL throughout the entire session. It works when you manually change the http to https in the url after signed in, but there is still brief moment of unsecured traffic during this process.

      • Re:Slow News day? (Score:5, Interesting)

        by zippthorne ( 748122 ) on Friday August 03, 2007 @10:36AM (#20101095) Journal
        That's odd. I go to https://mail.google.com/ and at no time during the login process do I ever see the address bar go from yellow to white. Are you sure it still works the way you say? Or is it sending something unencrypted so fast that I'm just not noticing (which would be kind of worrying).
        • Re:Slow News day? (Score:5, Insightful)

          by tizan ( 925212 ) on Friday August 03, 2007 @11:40AM (#20102173)
          I believe if you use https://gmail.google.com/ [google.com] (note gmail instead of mail) your whole mail session is always encripted and not the login page only.
        • by Sancho ( 17056 )
          You can actually sniff the traffic to see that your browser is making requests to Gmail over port 80. It's that magical Web 2.0 crap--you can't really tell what your browser is doing by the visual cues that have worked so well in the past.
        • Re:Slow News day? (Score:4, Informative)

          by gpuk ( 712102 ) on Friday August 03, 2007 @11:54AM (#20102397)
          That is the correct behaviour.

          Essentially, if you enter via http://mail.google.com/ [google.com] Google remembers this and encrypts only the login process and then reverts back to plain text. If you enter via https://mail.google.com/ [google.com] your session remains encrypted throughout.
          • It IS a silly default, though. All you have to do is forget to type it manually just once and bam, plaintext. Anyone can read the subjects of emails sent to you at the very least.

            I mean, yeah, some people might not care about security, but that's no reason to make the default inherently insecure. At the very least, they could have the first view not actually show the contents of the inbox, so when you log in insecurely by mistake, you can switch to secure without actually compromising anything.

            But it IS
            • Well, I dunno about you but I use one main PC at home, one Mac laptop, and one PC at work, and I have setup all three with a toolbar bookmark that goes to the secure Gmail session. https://mail.google.com/ [google.com]

              That makes it easy to connect the right way. It doesn't take long to type by hand either.

      • Re:Slow News day? (Score:5, Informative)

        by Kartoffel ( 30238 ) on Friday August 03, 2007 @10:37AM (#20101105)
        That's easy enough to fix with a Firefox plugin: http://www.customizegoogle.com/ [customizegoogle.com]
      • Even if they did somehow get your session cookie, you're logged in via a secure connection (:443) and I'm sure it would be noticed by google if they tried to use your session cookie to log in without your SSL credentials- which of course there's no way to get.
      • If you just type in mail.google.com and rely on your browser to prepend the http:/// [http] for you, it will direct you to the secure page for login and then back to the non-secure page for email. If however, you initially type in https://mail.google.com/ [google.com], login, you will stay on https.
    • Bottom line (Score:5, Informative)

      by Kadin2048 ( 468275 ) * <slashdot.kadinNO@SPAMxoxy.net> on Friday August 03, 2007 @10:26AM (#20100921) Homepage Journal
      I think the upshot of this isn't really "look at us, we can sniff plaintext Wifi connections," but "look at one of the biggest players in web mail use plaintext connections even though they ought to know it's a hideously bad idea."

      It's more of an indictment of Google than anything, because they default to unencrypted HTTP rather than HTTPS, and most users won't know that they can go to https://mail.google.com/mail/ [google.com] to force smarter behavior.
    • I'd be a lot more impressed if they had altered Doug Song's toolsuite from 7 years ago to use wifi at layer 2.

      Dsniff / Monkey in the middle attacks [monkey.org]

  • by OpenGLFan ( 56206 ) on Friday August 03, 2007 @10:18AM (#20100795) Homepage
    This is shameful. It's 2007, Google. SSL has been a (reasonable) standard since 1996. USE IT.
    • Re: (Score:2, Informative)

      by ohearn ( 969704 )
      Gmail will use SSL over any browser, it just doesn't by default (which is a shame, but easily fixed for those of us that care)
    • by SatanicPuppy ( 611928 ) * <Satanicpuppy&gmail,com> on Friday August 03, 2007 @10:26AM (#20100899) Journal
      They offer it. All you have to do is go to https://mail.google.com/ [google.com] rather than http://mail.google.com./ [mail.google.com]

      I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.
      • by Bob 535604 ( 871095 ) on Friday August 03, 2007 @10:30AM (#20101005)

        I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.
        A lot of people wouldn't know about this or even look for it and you know it. Google could make https the default or even mandatory, and it would completely kill this entire issue.
      • by TheRaven64 ( 641858 ) on Friday August 03, 2007 @10:31AM (#20101011) Journal
        A huge part of security is having sane defaults. If you support 'secure' and 'insecure' you should default to 'secure,' and let users who know what they are doing, and need 'insecure' behaviour opt into it. You shouldn't default to 'insecure' and make it the users' responsibility to select 'secure.'
        • You forgot this is Google who has erred here, and they have been shown to be Good, so you get people defending their poor security practices simply because they like Google. Are you new here? ;)
          • What error? Did they ever claim it was secure to send email over an unsecured connection? The service is provided: "...on an AS IS and AS AVAILABLE basis. Google disclaims all responsibility and liability for the availability, timeliness, security or reliability of the Service. Google also reserves the right to modify, suspend or discontinue the Service with or without notice at any time and without any liability to you." Gmail Terms of Use [google.com]

            If you thought anything else, you were out of your fricking mind...I
            • So now it isn't an error?

              Unbelievable. Secure by default is not a nice feature, it is the ONLY option when properly engineering something. Free or otherwise. If you think otherwise, then you're doing a grave disservice to your users. Anyway, I'm looking forward to quoting this thread in future security discussions. Evidently, security isn't as important these days, or, it isn't if you're Google.
              • If they had enabled SSL be default, they'd be the only free web mail provider to have done so. That's the way it's done. If you don't like it, might try using a service you have to pay for.
        • They default to insecure because if everyone was using their secure server, it would implode. People shouldn't need their hands held.
          • You've both implied that people should use the secure server on their own, and that doing so would cause Google's server to break. If Google's secure server doesn't have the capacity to handle a significant proportion of the user base, then that is in effect a wish for people not to use the service securely. Regardless of people not needing their hands held, Google apparently doesn't want to implement secure practices.
        • by overeduc8ed ( 799654 ) on Friday August 03, 2007 @11:07AM (#20101631)
          It's not Google's fault -- gmail is still in beta! :)
      • Re: (Score:2, Informative)

        by teknopurge ( 199509 )
        We have redirects setup on all plain-text channels that have a login to SSL, and have for the past 6 years; this is beyond common-sense.
      • Re: (Score:3, Interesting)

        correct me if I'm wrong, but don't most who complain about microsoft OSes point to prior defaults to administrator privileges as a major security concern? If so, by that same reasoning, shouldn't web services default to more secure configurations as opposed to less?
      • by Wicko ( 977078 )
        Is there a method to do this with Google's Personalized Homepage, as you can enable it to give you a preview of your email? I didn't see any options to change that.

        lthough I guess I don't have much to worry about since we don't use wireless in our home.
      • by dr_d_19 ( 206418 )
        I fail to see how the average person, as usual, being lax about their security is in any way Google's fault.

        Maybe because you can simply tie the session to the client IP adress and verify it during each request, which puts an end to the hijacking.
        • by awing0 ( 545366 )
          This won't work when you're on the same network as the attacker. That's the situation that was demonstrated here. There are a number of ways to spoof an IP address on an 802.11 network and have bidirectional communication. Add in the fact that you could be behind a NAT and you don't even need to go through the trouble.
        • by Electrum ( 94638 )
          Maybe because you can simply tie the session to the client IP adress and verify it during each request, which puts an end to the hijacking.

          Not with NAT, which is typically when you are most vulnerable (i.e. a shared wireless network).
      • by bberens ( 965711 )
        When I go to my bank or credit card website I never bother to put the https as I'm typing the URL because they will always redirect me to a secure connection. It's a basic and common practice for services with important information. I would argue you shouldn't be putting important information on Google's web servers, but that still doesn't mean that they can't make a very simple change and dramatically increase the security of the data they hold.
    • by caseih ( 160668 )
      Someone on PRI radio the other day pointed out that if Google defaulted to SSL for gmail, they would experience a server load that would be an order of magnitude more than they currently deal with. So I don't think that SSL is the answer here. What we need to find is a way to do a non-SSL session without a risk of the session being stolen. Perhaps some kind of light-weight cryptographic exchange on every request or something. A cookie that constantly changes and cannot be reused. Some way of making sur
  • by trifish ( 826353 ) on Friday August 03, 2007 @10:21AM (#20100825)
    Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid. The only situation where this solution may get a bit annoying is if you're behind a load-balancing proxy, which changes your IP address on every request (fortunately, this is somewhat rare.) It's better than allow easy hijacks...
    • by Stile 65 ( 722451 ) on Friday August 03, 2007 @10:26AM (#20100901) Homepage Journal
      If the hijacker gets on your wireless AP, then he's NATed behind the same public IP address as you. Voila, he matches your IP. Another layer is to also fix the session cookie to the browser's UA string, but that won't work if the attacker knows you're doing it and changes his browser's UA string to match yours. In summary, secure your wireless AP if you're a user and buy some SSL acceleration hardware so you can support forcing all traffic on your website to use SSL if you're a service provider.
      • Re: (Score:3, Interesting)

        by TheRaven64 ( 641858 )
        Even if he's not NAT'd, if he's on the same WLAN then he's on the same broadcast segment as the real owner of the IP, so he can just send packets claiming to be from the legitimate user and run his interface in promiscuous mode to grab the replies.
      • In summary, secure your wireless AP if you're a user and buy some SSL acceleration hardware so you can support forcing all traffic on your website to use SSL if you're a service provider.

        I agree with the latter recommendation about using SSL, but saying 'secure your wireless AP' doesn't do a lot to help the many public wifi locations; I think it's unhealthy to ever assume that a wireless connection will be secure. As more wireless networks are rolled out, and more people get laptops with built-in wireless and traipse happily from home to their local coffeeshop, where they're sharing an IP and an unencrypted connection with many untrusted users, opportunities for sniffing and hijacking are only going to become more common.

        As users demand more portability, security and authentication need to be moved (and kept) up at the application layer, and not simply assumed as part of the datalink or physical layers.
        • I think it's unhealthy to ever assume that a wireless connection will be secure.

          A few days ago my business partners and I were in some podunk town not far from Sacramento for a demonstration. The morning demonstration went well, but the potential customer was cool to buying, and so was kind of short. So there we were, all three of us, in some foreign town around lunch time. We found an ice cream shop that served sandwiches and had a wifi hotspot.

          So we whipped out our laptops, took over a table, ordered some
      • When you are sniffing wireless traffic you aren't actually associated with any access point. You simply open up your wireless card to receive all the 802.11 traffic floating around it.

        Using WEP is just as bad as not using any security on your AP. If someone is savvy enough to sniff wireless traffic then they are savvy enough to crack your 128 bit WEP key in 10 minutes.
    • by trifish ( 826353 )
      I've just read TFA and realised that all people in the room were sharing the same IP address, so what I described in parent post wouldn't help. The only thing they can do is force SSL to all requests.
    • by vidarlo ( 134906 ) <vidarlo@bitsex.net> on Friday August 03, 2007 @10:29AM (#20100981) Homepage

      Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid.
      More often than not, all users of a wireless net is behind a NAT device, which makes all the devices have the same official IP. The same applies to most domestic, workplace and school wlans, so really, that would make little or no difference. Now, in a IPv6 world, it would make a difference, since everyone has a unique IP there...
    • by suv4x4 ( 956391 )
      Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid.

      AOL dial-up which is relatively popular in USA (yea..) does this. Every request is on a different IP. Which is why many people don't do this.

      It gets complex: you can not apply this fix to IP-ranges on AOL you know are used for dial-up. I also check the exact user agent string, of co
  • I don't have the extension that forces it to use SSL, but all you have to do to force the connection manually is add the 's' after http, and the session will reload under SSL. Hopefully you haven't already been compromised at that point.

    I'm going to look for the Firefox extension now...
  • I'm sure everyone's going to bitch about how Google should use SSL for everything. And from a marketing perspective, maybe they should.

    But the openness of your wireless network really isn't their problem. You don't blame the banks if you shout your PIN out while you're at the ATM, do you? Or, more aptly, you don't blame the bank if you trust your ATM card and PIN to some stranger in a coffee shop.

    It isn't Google's responsibility to secure your connection end-to-end. It's far more reasonable to think that it
    • That's dumb. An application should never assume that the network it's connected to is secure. It doesn't matter whether you're plugged into switched Ethernet, a wireless LAN, or IP over carrier pigeon -- if you're designing an application that's going to transmit sensitive/assumed-private data (which email clearly is), it's a mistake to just blithely assume that the network is in any way secure.*

      An application like Gmail should be treating all network connections as though they're unencrypted Wifi (or hubbe
    • by Jessta ( 666101 )
      But you do blame the bank if the ATM you are entering your PIN at is insecure.

      Having an open wireless network in the least of your troubles, I chance of someone in your area stiffing your packets in very small. The chance of someone stiffing your packets across the public internet is much higher.

      I have an open wireless network, but all communication of a sensitive matter is transfered over HTTP or SSH, I really don't care if random people stiff my packets and read my slashdot.
  • by StandardCell ( 589682 ) on Friday August 03, 2007 @10:35AM (#20101079)
    Although they don't have a public key scheme strong enough for the AES-256 (requires 15360-bit RSA or 256-bit ECC for public key), you should always be logging in using https://gmail.google.com/ [google.com] from all locations (even home) to ensure the entire session is encrypted.
    • by afidel ( 530433 )
      Hmm, when I look at the page info and click on security in Firefox it says the connection is using AES-256. Do you mean they are reducing the effectiveness of the AES-256 session by having a relatively weak 1120 bit public key?
      • That's exactly the problem. Using RSA around the 1k-bit key strength is equivalent to 80 bits of symmetric key strength. AES-256 is a waste otherwise because all you need to do is attack the public key encryption to extract the symmetric key, and voila.
    • Sorry, that should've been 521-bit ECC since PK strength for ECC is half the number of bits.
  • if you put a https instead of http for gmail.google.com it'll work. I dont understand why they don't do this by default if they already support it.
    • Re: (Score:2, Insightful)

      by pomerol ( 1008421 )
      Well, I suspect that the reason they don't serve GMail access over SSL by default is greed and/or the desire to be "green". Serving web content over SSL put significantly higher strain on servers. In Google's case this equates to more CPU cycles and that translates to higher power requirements. More power means higher costs for Google and more carbon emissions into Earth's atmosphere. I would like to believe that "do-no-evil" Google is doing this for the latter reason.
      • by Niten ( 201835 )

        I don't know, I'm hesitant to believe that the decision to default to non-SSL connections in GMail resulted from some sort of ethical deliberation. It was probably just a matter of "we'd need to buy $X worth of hardware to support all our users connecting over SSL, so we don't see the benefit in providing this unless the customers really begin to demand it". In other words, just business as usual.

    • I dont understand why they don't do this by default if they already support it.


      Same reason the entire web isn't SSL by default. It takes a considerable amount of CPU compared with unencrypted web traffic.
  • Easy fix (Score:3, Informative)

    by teslatug ( 543527 ) on Friday August 03, 2007 @10:56AM (#20101435)
    Bookmark the secure address and use that (who wouldn't over open wireless??). You could also use http://www.customizegoogle.com/ [customizegoogle.com] with Firefox if you're using Gmail to force it to go to the secure URL.
  • Accessing http://gmail.google.com/ [google.com] will redirect you to a secure page for login, but after that you're back in plain text. If you start at https://gmail.google.com/ [google.com] then afaik the rest of your gmail session runs over SSL.

  • by ajs318 ( 655362 ) <<sd_resp2> <at> <earthshod.co.uk>> on Friday August 03, 2007 @11:31AM (#20102029)
    #  This is how I did it:
    #
    #  Actual snippet from my Apache configuration .....  mostly.
    #  Some details have been changed to protect the innocent
    #  And some details have been changed to protect the guilty
    #
    #  The virtual host "secure.mydomain.co.uk" cannot be accessed
    #  by http; only by https.
    #
    #  The insecure port
    <VirtualHost 10.11.12.13:80>
        ServerName secure.mydomain.co.uk
        DocumentRoot /var/www/
        <Directory /var/www/>
            RedirectMatch ^/[^iI] /insecure/
            # In this directory is a page with a dire warning
            # that https is required to access this server.
            # NB.  To avoid creating an infinite loop, we never
            # redirect if request begins with I or i.
        </Directory>
    </VirtualHost>
    #  The secure port
    <VirtualHost 10.11.12.13:443>
        SSLEngine on
        .....
    </VirtualHost>
  • Comment removed based on user account deletion

To invent, you need a good imagination and a pile of junk. -- Thomas Edison

Working...