Point-and-Click Gmail Hacking Shown at Black Hat

not5150 writes "Using Gmail or most other webmail programs over an unsecured access point just got a bit more dangerous. At Black Hat Robert Graham, CEO of errata security, showed how to capture and clone session cookies very quickly over connections without encryption. He even hijacked a shocked attendee's Gmail account in the middle of his presentation. 'While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google. Graham then clicked on Ou's IP address and Gmail page, complete with Ou's recently sent message on the screen. We photographed both Graham's and Ou's laptop at that time and posted it to the picture gallery. You'll see that the contents are exactly the same.'"

Slow News day?

[OverlordQ]

Somebody intercepted plaintext on an open network . . . . did I miss something?

Re:Slow News day?

[tizan]

I believe if you use https://gmail.google.com/ (note gmail instead of mail) your whole mail session is always encripted and not the login page only.

Re:Slow News day?

[SanityInAnarchy]

Because this means more computing for google servers.

This is Google we're talking about. They can take it.

I mean, seriously, even an old 200 mhz Linux box set up as a server can do crypto at wire speed (100 mbit ethernet). I'm sure it takes them more cycles to spellcheck it for you.

And also because your mail is sent as plain text to the recipient's mail server (and it came as plain text on google server). So it would be useless to crypt only the first (or last) part of the way.

"Not entirely secure" is not the same thing as "useless".

Consider: The majority of most websites are mostly served as plain HTML over HTTP. Is it still "useless" for me to admin mine using SSH instead of unsecured FTP? I think not.

The point I am making here is, if your communications with Gmail are unencrypted, it makes it possible for someone to not only intercept the content of the message, but alter it -- they could, in fact, hijack your whole session, gain access to your archived mail, and send mail pretending to be you. All of this is theoretically possible with that SMTP connection between Gmail and another mailserver, but it's also insanely difficult to get anywhere close to what you can get by hijacking the session.

And there's even a point to encrypting it, as opposed to just signing it. Well, two points, actually:

1. Browsers include SSL natively, but there's no spec for just signing something and sending it plaintext. Therefore, it would have to be done in JavaScript, which is MUCH slower.
2. SMTP is only used for connections between Gmail and other servers. Mail sent between you and another Gmail address is entirely secure, once it gets to the server. Why let people hijack your session and make it insecure?

I mean, I tend to agree with you somewhat -- I only really do email from the one machine that has my GPG key, and I wouldn't use Gmail for more than backup. I don't see much point to webmail, because I never login to anything from a computer that isn't my own, because I don't like exposing myself to keyloggers.

But even if it can't be very secure, why make it even less secure than it can be?

Re:Correct me if I'm wrong but

[Stile+65]

If the hijacker gets on your wireless AP, then he's NATed behind the same public IP address as you. Voila, he matches your IP. Another layer is to also fix the session cookie to the browser's UA string, but that won't work if the attacker knows you're doing it and changes his browser's UA string to match yours. In summary, secure your wireless AP if you're a user and buy some SSL acceleration hardware so you can support forcing all traffic on your website to use SSL if you're a service provider.

Re:Could be fixed easily by Google. Shame.

[TheRaven64]

A huge part of security is having sane defaults. If you support 'secure' and 'insecure' you should default to 'secure,' and let users who know what they are doing, and need 'insecure' behaviour opt into it. You shouldn't default to 'insecure' and make it the users' responsibility to select 'secure.'

Yes, it is.

[Kadin2048]

You're right that the exploit itself really isn't that new. What's new is twofold:

1) It's being done to Gmail, a service provided by People Who Should Know Better.
2) There is now a tool that allows any script kiddie to do it, meaning that it's no longer a theoretical exploit; it's something that your next-door neighbor is going to be doing to you (or your slightly less-technically-savvy family/friends) if you don't take precautions.

#2 is probably most significant, since it's really what's going to cause #1 to change. Sometimes, producing a GUIed, Windows-based exploit tool is the fastest way to get a problem fixed, because it's the easiest way to turn an academic argument into a real-world security issue that will get resources thrown at it. (Of course, it may also land you in jail.)