Point-and-Click Gmail Hacking Shown at Black Hat

not5150 writes "Using Gmail or most other webmail programs over an unsecured access point just got a bit more dangerous. At Black Hat Robert Graham, CEO of errata security, showed how to capture and clone session cookies very quickly over connections without encryption. He even hijacked a shocked attendee's Gmail account in the middle of his presentation. 'While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google. Graham then clicked on Ou's IP address and Gmail page, complete with Ou's recently sent message on the screen. We photographed both Graham's and Ou's laptop at that time and posted it to the picture gallery. You'll see that the contents are exactly the same.'"

Slow News day?

Somebody intercepted plaintext on an open network . . . . did I miss something?

Re:Slow News day?

if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in.

You have no idea how SSL works.

Re:Slow News day?

Seemingly neither do the people in the comments section at the bottom of TFA :-(

Worrying.

Re:Slow News day?

Also, logging in via SSL doesn't always work either - if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in.

SSL uses Diffie-Hellman key exchange [wikipedia.org] so no unencrypted key is ever sent

Re:Slow News day?

That's odd. I go to https://mail.google.com/ and at no time during the login process do I ever see the address bar go from yellow to white. Are you sure it still works the way you say? Or is it sending something unencrypted so fast that I'm just not noticing (which would be kind of worrying).

Re:Slow News day?

I believe if you use https://gmail.google.com/ [google.com] (note gmail instead of mail) your whole mail session is always encripted and not the login page only.

Re:Slow News day?

Because this means more computing for google servers.

This is Google we're talking about. They can take it.

I mean, seriously, even an old 200 mhz Linux box set up as a server can do crypto at wire speed (100 mbit ethernet). I'm sure it takes them more cycles to spellcheck it for you.

And also because your mail is sent as plain text to the recipient's mail server (and it came as plain text on google server). So it would be useless to crypt only the first (or last) part of the way.

"Not entirely secure" is not the same thing as "useless".

Consider: The majority of most websites are mostly served as plain HTML over HTTP. Is it still "useless" for me to admin mine using SSH instead of unsecured FTP? I think not.

The point I am making here is, if your communications with Gmail are unencrypted, it makes it possible for someone to not only intercept the content of the message, but alter it -- they could, in fact, hijack your whole session, gain access to your archived mail, and send mail pretending to be you. All of this is theoretically possible with that SMTP connection between Gmail and another mailserver, but it's also insanely difficult to get anywhere close to what you can get by hijacking the session.

And there's even a point to encrypting it, as opposed to just signing it. Well, two points, actually:

1. Browsers include SSL natively, but there's no spec for just signing something and sending it plaintext. Therefore, it would have to be done in JavaScript, which is MUCH slower.
2. SMTP is only used for connections between Gmail and other servers. Mail sent between you and another Gmail address is entirely secure, once it gets to the server. Why let people hijack your session and make it insecure?

I mean, I tend to agree with you somewhat -- I only really do email from the one machine that has my GPG key, and I wouldn't use Gmail for more than backup. I don't see much point to webmail, because I never login to anything from a computer that isn't my own, because I don't like exposing myself to keyloggers.

But even if it can't be very secure, why make it even less secure than it can be?

Re:Slow News day?

That is the correct behaviour.

Essentially, if you enter via http://mail.google.com/ [google.com] Google remembers this and encrypts only the login process and then reverts back to plain text. If you enter via https://mail.google.com/ [google.com] your session remains encrypted throughout.

Re:Slow News day?

That's easy enough to fix with a Firefox plugin: http://www.customizegoogle.com/ [customizegoogle.com]

Bottom line

I think the upshot of this isn't really "look at us, we can sniff plaintext Wifi connections," but "look at one of the biggest players in web mail use plaintext connections even though they ought to know it's a hideously bad idea."

It's more of an indictment of Google than anything, because they default to unencrypted HTTP rather than HTTPS, and most users won't know that they can go to https://mail.google.com/mail/ [google.com] to force smarter behavior.

Re:Bottom line

And furthermore, if you use google via a customised google page (http://www.google.com/ig) then even if you redirect that to https://.../ [...] then the link to GMail is still regular http.

psh

everyone knows my mom's cookies taste better than gmail's. they can't be intercepted over an open wirless network either.

Re:psh

Maybe not, but the heavenly smell is basically a SSID broadcast of their existance to those interested in finding them.

Could be fixed easily by Google. Shame.

This is shameful. It's 2007, Google. SSL has been a (reasonable) standard since 1996. USE IT.

Re:Could be fixed easily by Google. Shame.

They offer it. All you have to do is go to https://mail.google.com/ [google.com] rather than http://mail.google.com./ [mail.google.com]

I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.

Re:Could be fixed easily by Google. Shame.

I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.

A lot of people wouldn't know about this or even look for it and you know it. Google could make https the default or even mandatory, and it would completely kill this entire issue.

Re:Could be fixed easily by Google. Shame.

A huge part of security is having sane defaults. If you support 'secure' and 'insecure' you should default to 'secure,' and let users who know what they are doing, and need 'insecure' behaviour opt into it. You shouldn't default to 'insecure' and make it the users' responsibility to select 'secure.'

It's not Google's fault...

It's not Google's fault -- gmail is still in beta! :)

Re:Could be fixed easily by Google. Shame.

The user must take responsibility for their own security.

Yet we turn around and lambaste Microsoft for allowing users to run as Administrator by default, having no-password logins, not locking down the registry, and allowing 3rd party developers to still require admin privileges just to run a userspace application.

The point is, security is more than just "what's available." It also has to be about how good the defaults are. The technical community cried foul when Microsoft included a firewall in Windows XP but didn't have it turned on by default, and we complained so much that in SP2 Microsoft finally changed the default.

I agree that security is ultimately the responsibility of the user, but they should not have to seek out secure settings and turn them all on one by one. The default mode for any network-enabled program should be Secure. If the user needs Insecure, then they should have to change a setting to make it so. Spam should be opt-in, security should be opt-out. Anything else is unfair to the user.

Good reason to install Better GMail!

The Firefox extension forces GMail to always run over SSL. It's great! [lifehacker.com]

Re:Good reason to install Better GMail!

I think you should have linked to the Mozilla addons [mozilla.org] page. I know I wouldn't install a firefox addon from a random site with the name hacker in the URL.

Thunderbird?

I use Thunderbird for Windows XP to manage all my different email accounts. Would something like this be a danger, or does Thunderbird encrypt traffic?

Correct me if I'm wrong but

Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid. The only situation where this solution may get a bit annoying is if you're behind a load-balancing proxy, which changes your IP address on every request (fortunately, this is somewhat rare.) It's better than allow easy hijacks...

Re:Correct me if I'm wrong but

If the hijacker gets on your wireless AP, then he's NATed behind the same public IP address as you. Voila, he matches your IP. Another layer is to also fix the session cookie to the browser's UA string, but that won't work if the attacker knows you're doing it and changes his browser's UA string to match yours. In summary, secure your wireless AP if you're a user and buy some SSL acceleration hardware so you can support forcing all traffic on your website to use SSL if you're a service provider.

Security is an application-layer problem.

In summary, secure your wireless AP if you're a user and buy some SSL acceleration hardware so you can support forcing all traffic on your website to use SSL if you're a service provider.

I agree with the latter recommendation about using SSL, but saying 'secure your wireless AP' doesn't do a lot to help the many public wifi locations; I think it's unhealthy to ever assume that a wireless connection will be secure. As more wireless networks are rolled out, and more people get laptops with built-in wireless and traipse happily from home to their local coffeeshop, where they're sharing an IP and an unencrypted connection with many untrusted users, opportunities for sniffing and hijacking are only going to become more common.

As users demand more portability, security and authentication need to be moved (and kept) up at the application layer, and not simply assumed as part of the datalink or physical layers.

Re:Correct me if I'm wrong but

Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid.

More often than not, all users of a wireless net is behind a NAT device, which makes all the devices have the same official IP. The same applies to most domestic, workplace and school wlans, so really, that would make little or no difference. Now, in a IPv6 world, it would make a difference, since everyone has a unique IP there...

This isn't new!

Ok, so he was sniffing TCP/IP packets for HTTP cookies in unencrypted traffic passing over the same wireless network as him, maybe some nifty tools there but the idea is not new at all.

Yes, it is.

You're right that the exploit itself really isn't that new. What's new is twofold:

1) It's being done to Gmail, a service provided by People Who Should Know Better.
2) There is now a tool that allows any script kiddie to do it, meaning that it's no longer a theoretical exploit; it's something that your next-door neighbor is going to be doing to you (or your slightly less-technically-savvy family/friends) if you don't take precautions.

#2 is probably most significant, since it's really what's going to cause #1 to change. Sometimes, producing a GUIed, Windows-based exploit tool is the fastest way to get a problem fixed, because it's the easiest way to turn an academic argument into a real-world security issue that will get resources thrown at it. (Of course, it may also land you in jail.)

Firefox

I don't have the extension that forces it to use SSL, but all you have to do to force the connection manually is add the 's' after http, and the session will reload under SSL. Hopefully you haven't already been compromised at that point.

I'm going to look for the Firefox extension now...

POP/SMTP + SSL

Oh well. At least with gmail you get the option to use POP/SMTP, which in their case is SSL secured.

Of course, you still have to use web access to enable it.

Duhh

Duh...
The guy is intercepting traffic and stole a cookie. Big deal.
Additional info : If you need the id as well, try base64 decoding of all the fields in the cookie ( dont remember whether it was orkut or gmail that sends out id base64 encoded )
And why exactly is this front page news? The attack is lame, and the technique is script kiddie stuff, and has been around since ages.

O RLY?

I'm sure everyone's going to bitch about how Google should use SSL for everything. And from a marketing perspective, maybe they should.

But the openness of your wireless network really isn't their problem. You don't blame the banks if you shout your PIN out while you're at the ATM, do you? Or, more aptly, you don't blame the bank if you trust your ATM card and PIN to some stranger in a coffee shop.

It isn't Google's responsibility to secure your connection end-to-end. It's far more reasonable to think that it's your responsibility to not broadcast sensitive information in plaintext!!

A BLack hat attendee hacked?

Please. Those guys are supposed to be security wizards! And now one of them is caught using plain HTTP to access gmail? I hope they laughed hard at him. Even securety noobs like me know when to use HTTP and HTTPS.

Luckily gmail keeps the entire session in https opposed to other sides that also are hackable the same way, where only the logon is secure. After that they switch to http and are susceptible (e.g. facebook) to this attack.

There is more on this on Ars Technica: http://arstechnica.com/news.ars/post/20070801-repo rt-sidejacking-session-information-over-wifi-easy- as-pie.html [arstechnica.com]

Always use https://gmail.google.com

Although they don't have a public key scheme strong enough for the AES-256 (requires 15360-bit RSA or 256-bit ECC for public key), you should always be logging in using https://gmail.google.com/ [google.com] from all locations (even home) to ensure the entire session is encrypted.

ssl and gmai.

if you put a https instead of http for gmail.google.com it'll work. I dont understand why they don't do this by default if they already support it.

Cookie Monters with Black Hats

That's my cookie you teratogenic monster!!!!

Easy fix

Bookmark the secure address and use that (who wouldn't over open wireless??). You could also use http://www.customizegoogle.com/ [customizegoogle.com] with Firefox if you're using Gmail to force it to go to the secure URL.

use gmail over https

Accessing http://gmail.google.com/ [google.com] will redirect you to a secure page for login, but after that you're back in plain text. If you start at https://gmail.google.com/ [google.com] then afaik the rest of your gmail session runs over SSL.

Make it default to https

#  This is how I did it:
#
#  Actual snippet from my Apache configuration .....  mostly.
#  Some details have been changed to protect the innocent
#  And some details have been changed to protect the guilty
#
#  The virtual host "secure.mydomain.co.uk" cannot be accessed
#  by http; only by https.
#
#  The insecure port
<VirtualHost 10.11.12.13:80>
    ServerName secure.mydomain.co.uk
    DocumentRoot /var/www/
    <Directory /var/www/>
        RedirectMatch ^/[^iI] /insecure/
        # In this directory is a page with a dire warning
        # that https is required to access this server.
        # NB.  To avoid creating an infinite loop, we never
        # redirect if request begins with I or i.
    </Directory>
</VirtualHost>
#  The secure port
<VirtualHost 10.11.12.13:443>
    SSLEngine on
    .....
</VirtualHost>

What about iGoogle?

So one can force an SSL connection via https://mail.google.com/ [google.com] (or similarly with an appropriate Firefox plugin). However, when I try to force an SSL connection to my iGoogle home page by using "https", it simply redirects to an unsecured "http" request. I have widgets on this page displaying my GMail inbox and my google calendar events. I'm assuming this info is handled via insecure requests as well. Is this true? Any way to safeguard against this?

Ferret?

Nice thing that the summery explain what the "Ferret" program was and how to find it. Would be nice to actually show my friends the danger of http (not https) web mail.

Running all traffic over HTTPS...

Is hardly a viable strategy. Even with the best SSL accelerators, you're lucky to get 30-40% of the performance that plain HTTP gives you. They could certainly prevent man in the middle attacks, but unless you're on an open wifi network, the chances of being caught in a man in the middle are extremely slim. Use WEP or some other encryption mechanism to your router and you really shouldn't have any problems unless your ISP or some back bone router gets compromised. SSL is certainly critical at login time (which is why any website worth mentioning uses it), but SSL for all traffic is unnecessary. The thing that makes me laugh the most is that if all (authenticated) web traffic was done over HTTPS, the people complaining now would be the same ones complaining about how slow the website was.

The clue word here is "sniffing".

While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google.

This has nothing to do with any Google insecurity.

On a wired switched network, it's only possible to sniff from either a mirrored switch port or from a hub connection that has been put somewhere in the data path of the target being sniffed. Neither of these things are a particularly easy thing to do.

On a wireless network, sure, it's easy if the network is secure and encrypted - but anyone who uses an insecure unecrypted wireless network is a total fool if he or she is surprised that this kind of exploit works.

The fact is if any encryption key exchanges go on between encrypting endpoints, if you can sniff what the two are doing and catch the data flow at the right time as a "man-in-the-middle" attack, it's theoretically possible to intercept just about any type of connection - difficult but possible.

Move along, there really is nothing to see here.

It's about the Wireless ...

I think the reason this very old exploit was brought up is because more and more people are using wireless access points and not realizing how drastically less secure they are than a wired connection. Back when everyone used ethernet, a hacker had to physically get onto the same switch as you to perform this hack. Now they can just pull up in their car on the street outside of the Starbucks that you are at. And yes, google/yahoo/MSN/everyone should be switching to SSL for all this stuff.

So, why are we still using the webmail client?

With excellent and free clients out there (Like Thunderbird) why would anyone bother using the silly web interface? If you don't have access to your computer, you still have access to your phone and most of them have email programs running on them....

Repeat after me...

The url is httpS://mail.google.com. The performance hit isn't noticeable, but the security increase sure is...

Re:I give 10 minutes

Apple has nothing at all to do with it.

Re:I give 10 minutes

What the hell does Apple have to do with GMail?

Re:thank god...

Do they not use cookies? If they do, then unless I'm misunderstanding something, you won't be any more safe then if you are using GMail.

Re:thank god...

yea...your just as screwed from the sound of it.

Re:thank god...

I have never heard of anyone thanking God that they use Yahoo... in my entire life.