Network News

X My Profile
View More Activity

New Tool Automates Webmail Account Hijacks

Black Hat

LAS VEGAS -- Logging into your MySpace, Facebook, Yahoo!, Gmail or Hotmail account over a wireless connection just got a lot more dicey, as researchers here at the Black Hat hacker conference today demonstrated a new set of tools that help automate the hijacking of those accounts.

Demonstrating the tools before a standing-room only crowd, Errata Security Chief Executive Robert Graham scanned the Black Hat wireless network for anyone logging into their Gmail accounts. Applause erupted after Graham clicked on a link in the attack tool that allowed him to log in at the same time as the victim, displaying the contents of the poor guy's Gmail inbox on giant screens that flank the speaker's podium.

While Web 2.0 services like Gmail and Facebook encrypt usernames and passwords that users submit when they log into their accounts, all keep tabs on users by placing a "cookie," or tiny text file, on the user's computer. Those cookie files are not encrypted, which means that anyone who is monitoring the network traffic flowing over a wireless network can simply intercept one of those cookie files. This allows an attacker to log in as the victim, effectively cloning the account without knowledge of the victim's login credentials.

Graham said the attack works even if victims subsequently change their passwords, or actively sign out of their accounts. However, attackers would be unable to change the victim's password, as all of the above-named services force the user to reenter the current password before changing it to a new one.

Gmail users who wish to log in to their accounts over a public Wi-Fi network can defeat this attack by taking advantage of a feature that encrypts all of the traffic between Google's servers and the browser (to do this, make sure you type https://gmail.google.com before providing your user name and password).

While stealing cookies to hijack Web services has been a well understood threat in security circles for some time, today's presentation merely ups the ante by showing that such an attack can be automated. Errata Security plans to release its toolset, called "Hamster" and "Ferret," on its Web site later today at no cost, Graham said.

By Brian Krebs  |  August 2, 2007; 3:16 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Apple's 48 Security Fixes Include iPhone Updates
Next: iPhone Exploits Revealed

Comments

I don't understand why Gmail doesn't default to a fully encrypted session. All I can think of is that it saves them CPU time, which must be considerable since they have so many users.

Posted by: William | August 2, 2007 4:11 PM | Report abuse

Brian,

While I didn't see the demo, I doubt there is interception of a "cookie file" going on; instead it is the cookie values submitted by the browser in every plaintext HTTP request--with gmail, there is a collection of cookies and a URL auth value all transmitted in the clear after login is complete.

Perhaps the misunderstanding is in viewing a cookie as a "small text file". It's not a "file" at all in the traditional sense; it is a collection of name/value pairs that the browser remembers and resubmits with each HTTP request. The browser may incidentally save these values in a file so they are persistent across browsing sessions, but that file is usually stored on a local filesystem and is not transmitted over the network, unlike the cookie values in transit to the web server. Cookies will be encrypted in transit for SSL sessions, but gmail, like many other systems, doesn't use SSL by default for post-login traffic, as SSL imposes a large computation load.

Not sure why this attack should be considered impressive, tho; sounds like a pretty run-of-the-mill cookie hijacking attack. Unless some cryptographic result was announced (e.g. discovering a way to predict the cookie values without needing to observe them), this is the sort of thing that has been possible for a very long time.

Posted by: antibozo | August 2, 2007 5:39 PM | Report abuse

Great, this is the reason i haven't been able to get into my Gmail the last couple hours?!?

At least Gmail's got their ear on the ground (or in the air?) on this question.

Posted by: Dean | August 2, 2007 6:38 PM | Report abuse

I am confused as to why this got applause!? This type of wireless hack have been around for...um...since wireless networks were sniffable?

If THIS got applause (assuming this was reported correctly), then we got more problems than some skiddy cookie theft attacks...

Posted by: Jack | August 2, 2007 9:29 PM | Report abuse

HEY FOLKS --

IF YOU USE G.MAIL, ALL YOU HAVE TO DO IS TYPE IN HTTPS://GMAIL.GOOGLE.COM AND GOOGLE'S SECURE SERVER COMES UP, EVEN IF YOU ARE USING YOUR NORMAL CONNECTION.

THANKS BRIAN

BEEN HAVING SOME PROBLEMS LATELY THAT EVEN SPYWARE DOCTOR, AD-AWARE 2007 AND NORTON 2007 HAVE BEEN HAVING SOME ISSUES ADDRESSING.

INCIDENTLY, BOTH SPYWARE DOCTOR AND AD-AWARE 2007 SEEM TO BE CATCHING BOTH TROJANS IN THE REGISTRY AND OTHER MALWARE THAT NORTON 2007 IS MISSING.

HAS NORTON DROPPED THE BALL ???

Posted by: bruce | August 3, 2007 1:43 AM | Report abuse

If there was ever a good reason to use the CustomizeGoogle addon, this would be it!

Posted by: Shaul | August 3, 2007 1:58 AM | Report abuse

I don't understand something.
Brian you recommend typing in https://gmail.google.com

I start typing in "mail"
At that point Firefox offers http://mail.google.com

I click on that and the webpage that comes up has a VERY long URL, but it starts with
https://gmail.google.com
and this is the page where I can log in.

What is the difference?

Posted by: csavargo13 | August 3, 2007 8:39 AM | Report abuse

The reason this is worthy of attention is that the tool makes hijacking easy. And if I understand correctly, the fact that you log on using the secure server does not meant that subsequent requests are all https encrypted. And even one request "in the clear" is too many, since it would contain the authentication cookie. Note that lots of sites do not implement https correctly, so that some things you think are being protected may not be. I wouldn't rely on https to protect me in a wireless network.

So if you are going to access email (or anything else requiring an id/password) over a wireless network, I'd suggest using ssh tunneling to route your request through a trusted ssh proxy. Or, just don't do it.

Posted by: Alan | August 3, 2007 9:57 AM | Report abuse

@ csavargo13

Just add a bookmark to your browser or right click the link and go to properties.
Paste this URL -- https://gmail.google.com -- and save it.

Now, once you click the link - don't let the browser suggest it - after you sign in the secure part - HTTPS - should last throughout your session.

Posted by: umm.huh | August 3, 2007 12:28 PM | Report abuse

Alan> The reason this is worthy of attention is that the tool makes hijacking easy.

I think where we differ is that, in my opinion, hijacking already was easy. I guess clicking on a link makes it slightly more convenient, but really, is a little convenience worthy of Black Hat applause?

Alan> And if I understand correctly, the fact that you log on using the secure server does not meant that subsequent requests are all https encrypted.

I believe the difference is that if you start with https, gmail stays on https. It always uses https for the actual login transaction, but if you start at http, it returns to http when authentication is complete.

Posted by: antibozo | August 3, 2007 1:55 PM | Report abuse

when you type www.gmail.com you are redirected to a https
but Hotmail does have a https too https://login.live.com/
And Yahoo too:
https://mail.yahoo.com/

Posted by: Jean-Philippe | August 3, 2007 2:45 PM | Report abuse

@William

In addition to CPU time, https also requires a dedicated connection, which is probably the larger cost relative to http. Still, the security should trump the cost.

Posted by: Mark | August 3, 2007 3:05 PM | Report abuse

Okay, I've known for ages that Google does the right thing, but I have yet to discover a way to keep Yahoo encrypted after the login. The URL proposed above doesn't work, especially since you get a security warning when you try to connect to https://mail.yahoo.com (the certificate belongs to https://login.yahoo.com).

Posted by: Anders | August 3, 2007 3:30 PM | Report abuse

Antibozo wrote
> I believe the difference is that if
> you start with https, gmail stays
> on https.

You are probably correct regarding gmail. However in the general case, you really can't be sure unless you are verifying the html source before submitting every page. Many sites implement it incorrectly. It's not safe to teach the general public that https means you are protected. Your choices are (1) hope that your particular site implemented it right, (2) verify source on every page yourself, or (3) provide your own layer of protection by using an ssh tunnel or equivalent.

BTW, even if you're a serious geek, I'm not sure you have visibility into everything needed for source verification with web services applications like the new gmail / yahoo / hotmail interfaces. Of course you could try sniffing your own traffic. But if you discover that the session cookie is leaking out, it's too late. Your entire email account is already compromised.

Posted by: Alan | August 3, 2007 3:44 PM | Report abuse

Alan> you really can't be sure unless you are verifying the html source before submitting every page.

While I generally agree with your points, I'd still note that browsers will help you (if correctly configured) by warning you of any plaintext HTTP transaction performed in an otherwise encrypted context. So, theoretically, source analysis is not necessary for this. But, yes, assuming those warnings work correctly in the first place, people often turn them off.

There's another angle on this, which is that, when you log in to gmail, in addition to setting cookies for mail.google.com, google sets a number of cookies for .google.com. It's not clear to me whether those .google.com cookies would allow authentication bypass, but there's reason for concern, e.g. GMAIL_LOGIN is set both in mail.google.com and in .google.com, thus may be exposed in plaintext transactions with any google service; the values of GMAIL_LOGIN in mail.google.com and .google.com differ superficially, but it's possible one is simply a different encoding of the other.

Alan> It's not safe to teach the general public that https means you are protected.

I certainly agree with that statement, 100%! But I think Brian was clear in circumscribing his advice w.r.t. gmail appropriately.

Posted by: antibozo | August 3, 2007 4:52 PM | Report abuse

All the comments were very enlightening to me, though I don`t have the knowledge to fully understand the reach of the damage that can result from those tactics used by Hackers.

Posted by: mayitohernandez@yahoo.com | August 4, 2007 11:38 PM | Report abuse

Brain,

My compliments for an important and informative article that elicited some excellent comments.

Posted by: RichardL | August 5, 2007 9:25 AM | Report abuse

To recreate cookies you can use aniscartujo proxy... you can made your own cookies to work with any page, with out the need of a special browser or any other tool... just go to advanced options, create your cookie, and then go to page that you want to use this cookie :)

1) create cookies
https://aniscartujo.com/webproxy/options.aspx
2) use them
https://aniscartujo.com/webproxy/default.aspx?prx=http://mail.google.com/mail/

aniscartujo

Posted by: aniscartujo | August 5, 2007 7:23 PM | Report abuse

You'll still be at risk though you run your gmail in https, because google will use the same cookie for your other google applications (search, calendar), and those will not go over the channel that was encrypted for the mail.

This aspect of gmail, that in effect, it results in extra personal information on my google searches, is one reason I limit my gmail use. But now we can see it may have an even worse side-effect.

Posted by: Allison | August 6, 2007 8:16 AM | Report abuse

Allison> You'll still be at risk though you run your gmail in https, because google will use the same cookie for your other google applications (search, calendar), and those will not go over the channel that was encrypted for the mail.

Have you proved that that is the case? I.e., there are different collections of cookies for mail.google.com than for .google.com, although there is some overlap in the namespace. Have you demonstrated that there is in fact sensitive auth data in this overlap? If so, please elaborate.

Posted by: antibozo | August 6, 2007 3:06 PM | Report abuse

antibozo > Have you demonstrated that there is in fact sensitive auth data in this overlap? If so, please elaborate.

I did see it, but there's someone with a really great discussion of it, much better than I could do, here:

http://www.securityfocus.com/archive/1/475658

It's the GX record. As they point out, this is not a unique problem of gmail's (sigh).

Posted by: Allison | August 7, 2007 8:05 PM | Report abuse

OK, for those of us who use Yahoo! for web mail, what's the fix? Or is there none?

Posted by: Harleyrider | August 8, 2007 10:57 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company