Point-and-Click Gmail Hacking Shown at Black Hat

not5150 writes "Using Gmail or most other webmail programs over an unsecured access point just got a bit more dangerous. At Black Hat Robert Graham, CEO of errata security, showed how to capture and clone session cookies very quickly over connections without encryption. He even hijacked a shocked attendee's Gmail account in the middle of his presentation. 'While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google. Graham then clicked on Ou's IP address and Gmail page, complete with Ou's recently sent message on the screen. We photographed both Graham's and Ou's laptop at that time and posted it to the picture gallery. You'll see that the contents are exactly the same.'"

Slow News day?

[OverlordQ]

Somebody intercepted plaintext on an open network . . . . did I miss something?

Re:Slow News day?

[tizan]

I believe if you use https://gmail.google.com/ (note gmail instead of mail) your whole mail session is always encripted and not the login page only.

Re:Slow News day?

[SanityInAnarchy]

Because this means more computing for google servers.

This is Google we're talking about. They can take it.

I mean, seriously, even an old 200 mhz Linux box set up as a server can do crypto at wire speed (100 mbit ethernet). I'm sure it takes them more cycles to spellcheck it for you.

And also because your mail is sent as plain text to the recipient's mail server (and it came as plain text on google server). So it would be useless to crypt only the first (or last) part of the way.

"Not entirely secure" is not the same thing as "useless".

Consider: The majority of most websites are mostly served as plain HTML over HTTP. Is it still "useless" for me to admin mine using SSH instead of unsecured FTP? I think not.

The point I am making here is, if your communications with Gmail are unencrypted, it makes it possible for someone to not only intercept the content of the message, but alter it -- they could, in fact, hijack your whole session, gain access to your archived mail, and send mail pretending to be you. All of this is theoretically possible with that SMTP connection between Gmail and another mailserver, but it's also insanely difficult to get anywhere close to what you can get by hijacking the session.

And there's even a point to encrypting it, as opposed to just signing it. Well, two points, actually:

1. Browsers include SSL natively, but there's no spec for just signing something and sending it plaintext. Therefore, it would have to be done in JavaScript, which is MUCH slower.
2. SMTP is only used for connections between Gmail and other servers. Mail sent between you and another Gmail address is entirely secure, once it gets to the server. Why let people hijack your session and make it insecure?

I mean, I tend to agree with you somewhat -- I only really do email from the one machine that has my GPG key, and I wouldn't use Gmail for more than backup. I don't see much point to webmail, because I never login to anything from a computer that isn't my own, because I don't like exposing myself to keyloggers.

But even if it can't be very secure, why make it even less secure than it can be?

Could be fixed easily by Google. Shame.

[OpenGLFan]

This is shameful. It's 2007, Google. SSL has been a (reasonable) standard since 1996. USE IT.

Re:Correct me if I'm wrong but

[Stile+65]

If the hijacker gets on your wireless AP, then he's NATed behind the same public IP address as you. Voila, he matches your IP. Another layer is to also fix the session cookie to the browser's UA string, but that won't work if the attacker knows you're doing it and changes his browser's UA string to match yours. In summary, secure your wireless AP if you're a user and buy some SSL acceleration hardware so you can support forcing all traffic on your website to use SSL if you're a service provider.

Re:thank god...

[jimbug]

Do they not use cookies? If they do, then unless I'm misunderstanding something, you won't be any more safe then if you are using GMail.

Re:Could be fixed easily by Google. Shame.

[TheRaven64]

A huge part of security is having sane defaults. If you support 'secure' and 'insecure' you should default to 'secure,' and let users who know what they are doing, and need 'insecure' behaviour opt into it. You shouldn't default to 'insecure' and make it the users' responsibility to select 'secure.'

Re:Thunderbird?

This applies to session cookies from accessing a webmail interface online. If your e-mail accounts are POP/SMTP through Thunderbird then this doesn't affect you. The WebMail plugin for Thunderbird might be affected (can it be configured to use an SSL connection? does it log-out of your mailbox and close the session when it's done?) but it generally operates so quickly that you would have very minimal exposure.

Security is an application-layer problem.

[Kadin2048]

In summary, secure your wireless AP if you're a user and buy some SSL acceleration hardware so you can support forcing all traffic on your website to use SSL if you're a service provider.

I agree with the latter recommendation about using SSL, but saying 'secure your wireless AP' doesn't do a lot to help the many public wifi locations; I think it's unhealthy to ever assume that a wireless connection will be secure. As more wireless networks are rolled out, and more people get laptops with built-in wireless and traipse happily from home to their local coffeeshop, where they're sharing an IP and an unencrypted connection with many untrusted users, opportunities for sniffing and hijacking are only going to become more common.

As users demand more portability, security and authentication need to be moved (and kept) up at the application layer, and not simply assumed as part of the datalink or physical layers.

Yes, it is.

[Kadin2048]

You're right that the exploit itself really isn't that new. What's new is twofold:

1) It's being done to Gmail, a service provided by People Who Should Know Better.
2) There is now a tool that allows any script kiddie to do it, meaning that it's no longer a theoretical exploit; it's something that your next-door neighbor is going to be doing to you (or your slightly less-technically-savvy family/friends) if you don't take precautions.

#2 is probably most significant, since it's really what's going to cause #1 to change. Sometimes, producing a GUIed, Windows-based exploit tool is the fastest way to get a problem fixed, because it's the easiest way to turn an academic argument into a real-world security issue that will get resources thrown at it. (Of course, it may also land you in jail.)

Re:ssl and gmai.

[pomerol]

Well, I suspect that the reason they don't serve GMail access over SSL by default is greed and/or the desire to be "green". Serving web content over SSL put significantly higher strain on servers. In Google's case this equates to more CPU cycles and that translates to higher power requirements. More power means higher costs for Google and more carbon emissions into Earth's atmosphere. I would like to believe that "do-no-evil" Google is doing this for the latter reason.

Not the network's job.

[Kadin2048]

That's dumb. An application should never assume that the network it's connected to is secure. It doesn't matter whether you're plugged into switched Ethernet, a wireless LAN, or IP over carrier pigeon -- if you're designing an application that's going to transmit sensitive/assumed-private data (which email clearly is), it's a mistake to just blithely assume that the network is in any way secure.*

An application like Gmail should be treating all network connections as though they're unencrypted Wifi (or hubbed/shared-media Ethernet -- let's not call out 802.11 when there are so many other networking options that can also be trivially compromised); anything else is bad design.

* I'm aware that SMTP is designed like that (as are many other core Internet protocols), but that doesn't mean it's a good idea or even close to technically correct; it was designed in kinder, gentler, and clearly more naive time, and it's caused a whole lot of pain as a result. To do the same thing today is pretty ridiculous.

What about iGoogle?

[wasimmer]

So one can force an SSL connection via https://mail.google.com/ (or similarly with an appropriate Firefox plugin). However, when I try to force an SSL connection to my iGoogle home page by using "https", it simply redirects to an unsecured "http" request. I have widgets on this page displaying my GMail inbox and my google calendar events. I'm assuming this info is handled via insecure requests as well. Is this true? Any way to safeguard against this?