Point-and-Click Gmail Hacking Shown at Black Hat

not5150 writes "Using Gmail or most other webmail programs over an unsecured access point just got a bit more dangerous. At Black Hat Robert Graham, CEO of errata security, showed how to capture and clone session cookies very quickly over connections without encryption. He even hijacked a shocked attendee's Gmail account in the middle of his presentation. 'While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google. Graham then clicked on Ou's IP address and Gmail page, complete with Ou's recently sent message on the screen. We photographed both Graham's and Ou's laptop at that time and posted it to the picture gallery. You'll see that the contents are exactly the same.'"

Correct me if I'm wrong but

[trifish]

Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid. The only situation where this solution may get a bit annoying is if you're behind a load-balancing proxy, which changes your IP address on every request (fortunately, this is somewhat rare.) It's better than allow easy hijacks...

Re:Good reason to install Better GMail!

[afidel]

I think you should have linked to the Mozilla addons page. I know I wouldn't install a firefox addon from a random site with the name hacker in the URL.

Re:Could be fixed easily by Google. Shame.

[SatanicPuppy]

They offer it. All you have to do is go to https://mail.google.com/ rather than http://mail.google.com./

I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.

Bottom line

[Kadin2048]

I think the upshot of this isn't really "look at us, we can sniff plaintext Wifi connections," but "look at one of the biggest players in web mail use plaintext connections even though they ought to know it's a hideously bad idea."

It's more of an indictment of Google than anything, because they default to unencrypted HTTP rather than HTTPS, and most users won't know that they can go to https://mail.google.com/mail/ to force smarter behavior.

Re:Bottom line

[It'sYerMam]

And furthermore, if you use google via a customised google page (http://www.google.com/ig) then even if you redirect that to https://.../ then the link to GMail is still regular http.

Re:Slow News day?

if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in.

You have no idea how SSL works.

Re:Could be fixed easily by Google. Shame.

[Bob+535604]

I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.

A lot of people wouldn't know about this or even look for it and you know it. Google could make https the default or even mandatory, and it would completely kill this entire issue.

Re:Slow News day?

[The+Velour+Fog]

Also, logging in via SSL doesn't always work either - if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in. SSL uses Diffie-Hellman key exchange so no unencrypted key is ever sent

Re:Slow News day?

[Kartoffel]

That's easy enough to fix with a Firefox plugin: http://www.customizegoogle.com/

Re:Slow News day?

[gpuk]

That is the correct behaviour.

Essentially, if you enter via http://mail.google.com/ Google remembers this and encrypts only the login process and then reverts back to plain text. If you enter via https://mail.google.com/ your session remains encrypted throughout.