Point-and-Click Gmail Hacking Shown at Black Hat

not5150 writes "Using Gmail or most other webmail programs over an unsecured access point just got a bit more dangerous. At Black Hat Robert Graham, CEO of errata security, showed how to capture and clone session cookies very quickly over connections without encryption. He even hijacked a shocked attendee's Gmail account in the middle of his presentation. 'While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google. Graham then clicked on Ou's IP address and Gmail page, complete with Ou's recently sent message on the screen. We photographed both Graham's and Ou's laptop at that time and posted it to the picture gallery. You'll see that the contents are exactly the same.'"

Slow News day?

[OverlordQ (264228)]

Somebody intercepted plaintext on an open network . . . . did I miss something?

Re:

[Cancel-Or-Allow (1073192)]

The funny thing is, gmail offers the ability to sign-in securely, but not an option to keep it SSL throughout the entire session. It works when you manually change the http to https in the url after signed in, but there is still brief moment of unsecured traffic during this process.

Re:Slow News day?

[zippthorne (748122)]

That's odd. I go to https://mail.google.com/ and at no time during the login process do I ever see the address bar go from yellow to white. Are you sure it still works the way you say? Or is it sending something unencrypted so fast that I'm just not noticing (which would be kind of worrying).

Re:Slow News day?

[tizan (925212)]

I believe if you use https://gmail.google.com/ [google.com] (note gmail instead of mail) your whole mail session is always encripted and not the login page only.

Re:Slow News day?

[SanityInAnarchy (655584)]

Because this means more computing for google servers.

This is Google we're talking about. They can take it.

I mean, seriously, even an old 200 mhz Linux box set up as a server can do crypto at wire speed (100 mbit ethernet). I'm sure it takes them more cycles to spellcheck it for you.

And also because your mail is sent as plain text to the recipient's mail server (and it came as plain text on google server). So it would be useless to crypt only the first (or last) part of the way.

"Not entirely secure" is not the same thing as "useless".

Consider: The majority of most websites are mostly served as plain HTML over HTTP. Is it still "useless" for me to admin mine using SSH instead of unsecured FTP? I think not.

The point I am making here is, if your communications with Gmail are unencrypted, it makes it possible for someone to not only intercept the content of the message, but alter it -- they could, in fact, hijack your whole session, gain access to your archived mail, and send mail pretending to be you. All of this is theoretically possible with that SMTP connection between Gmail and another mailserver, but it's also insanely difficult to get anywhere close to what you can get by hijacking the session.

And there's even a point to encrypting it, as opposed to just signing it. Well, two points, actually:

1. Browsers include SSL natively, but there's no spec for just signing something and sending it plaintext. Therefore, it would have to be done in JavaScript, which is MUCH slower.
2. SMTP is only used for connections between Gmail and other servers. Mail sent between you and another Gmail address is entirely secure, once it gets to the server. Why let people hijack your session and make it insecure?

I mean, I tend to agree with you somewhat -- I only really do email from the one machine that has my GPG key, and I wouldn't use Gmail for more than backup. I don't see much point to webmail, because I never login to anything from a computer that isn't my own, because I don't like exposing myself to keyloggers.

But even if it can't be very secure, why make it even less secure than it can be?

Re:Slow News day?

[gpuk (712102)]

That is the correct behaviour.

Essentially, if you enter via http://mail.google.com/ [google.com] Google remembers this and encrypts only the login process and then reverts back to plain text. If you enter via https://mail.google.com/ [google.com] your session remains encrypted throughout.

Re:Slow News day?

[Kartoffel (30238)]

That's easy enough to fix with a Firefox plugin: http://www.customizegoogle.com/ [customizegoogle.com]

Another Extension

[lupine (100665)]

I use the Gmail Notifier [mozilla.org] firefox extension which checks for messages and forces gmail to use secure connections.

Bottom line

[Kadin2048 (468275)]

I think the upshot of this isn't really "look at us, we can sniff plaintext Wifi connections," but "look at one of the biggest players in web mail use plaintext connections even though they ought to know it's a hideously bad idea."

It's more of an indictment of Google than anything, because they default to unencrypted HTTP rather than HTTPS, and most users won't know that they can go to https://mail.google.com/mail/ [google.com] to force smarter behavior.

Re:Bottom line

[It'sYerMam (762418)]

And furthermore, if you use google via a customised google page (http://www.google.com/ig) then even if you redirect that to https://.../ [...] then the link to GMail is still regular http.

Re:

[HitekHobo (1132869)]

I'd be a lot more impressed if they had altered Doug Song's toolsuite from 7 years ago to use wifi at layer 2.

Dsniff / Monkey in the middle attacks [monkey.org]

Re:Slow News day?

[by Anonymous Coward]

if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in.

You have no idea how SSL works.

Re:Slow News day?

[tom17 (659054)]

Seemingly neither do the people in the comments section at the bottom of TFA :-(

Worrying.

Re:Slow News day?

[The Velour Fog (1087217)]

Also, logging in via SSL doesn't always work either - if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in.

SSL uses Diffie-Hellman key exchange [wikipedia.org] so no unencrypted key is ever sent

Re:

[Aeiri (713218)]

This is the first time it's been compiled into an automated tool.

No it's not, there's another that's better and it's been around for a long while. It was once Ethereal, and now called Wireshark [wireshark.org].

Re:

[Burz (138833)]

This takes way more work, and there will be a popup that says "This certificate has not been signed by a trusted authority, someone might be trying to sniff you out". No one with a tiny bit of computer security knowledge would fall for this, but a clueless user who clicks "Allow" on everything probably would be.

And I try to educate everyone I know about handling certificate warnings. They are all worried about Internet insecurity, and I tell them their connection (assuming they have a clean systems) WILL be

Could be fixed easily by Google. Shame.

[OpenGLFan (56206)]

This is shameful. It's 2007, Google. SSL has been a (reasonable) standard since 1996. USE IT.

Re:

[ohearn (969704)]

Gmail will use SSL over any browser, it just doesn't by default (which is a shame, but easily fixed for those of us that care)

Re:Could be fixed easily by Google. Shame.

[SatanicPuppy (611928)]

They offer it. All you have to do is go to https://mail.google.com/ [google.com] rather than http://mail.google.com./ [mail.google.com]

I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.

Re:Could be fixed easily by Google. Shame.

[Bob 535604 (871095)]

I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.

A lot of people wouldn't know about this or even look for it and you know it. Google could make https the default or even mandatory, and it would completely kill this entire issue.

Re:Could be fixed easily by Google. Shame.

[TheRaven64 (641858)]

A huge part of security is having sane defaults. If you support 'secure' and 'insecure' you should default to 'secure,' and let users who know what they are doing, and need 'insecure' behaviour opt into it. You shouldn't default to 'insecure' and make it the users' responsibility to select 'secure.'

It's not Google's fault...

[overeduc8ed (799654)]

It's not Google's fault -- gmail is still in beta! :)

Re:Could be fixed easily by Google. Shame.

[AeroIllini (726211)]

The user must take responsibility for their own security.

Yet we turn around and lambaste Microsoft for allowing users to run as Administrator by default, having no-password logins, not locking down the registry, and allowing 3rd party developers to still require admin privileges just to run a userspace application.

The point is, security is more than just "what's available." It also has to be about how good the defaults are. The technical community cried foul when Microsoft included a firewall in Windows XP but didn't have it turned on by default, and we complained so much that in SP2 Microsoft finally changed the default.

I agree that security is ultimately the responsibility of the user, but they should not have to seek out secure settings and turn them all on one by one. The default mode for any network-enabled program should be Secure. If the user needs Insecure, then they should have to change a setting to make it so. Spam should be opt-in, security should be opt-out. Anything else is unfair to the user.

Re:

[BewireNomali (618969)]

correct me if I'm wrong, but don't most who complain about microsoft OSes point to prior defaults to administrator privileges as a major security concern? If so, by that same reasoning, shouldn't web services default to more secure configurations as opposed to less?

Re:

[fbjon (692006)]

They shouldn't tell anyone, just transparently redirect to the secure URL. Sane defaults, and all that jazz. Or at least semi-transparently, with a "redirecting..." page that has a link to both encrypted and unencrypted login URLs, in case some network blocks https.

Good reason to install Better GMail!

[Mr. X (17716)]

The Firefox extension forces GMail to always run over SSL. It's great! [lifehacker.com]

Re:Good reason to install Better GMail!

[afidel (530433)]

I think you should have linked to the Mozilla addons [mozilla.org] page. I know I wouldn't install a firefox addon from a random site with the name hacker in the URL.

Correct me if I'm wrong but

[trifish (826353)]

Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid. The only situation where this solution may get a bit annoying is if you're behind a load-balancing proxy, which changes your IP address on every request (fortunately, this is somewhat rare.) It's better than allow easy hijacks...

Re:Correct me if I'm wrong but

[Stile 65 (722451)]

If the hijacker gets on your wireless AP, then he's NATed behind the same public IP address as you. Voila, he matches your IP. Another layer is to also fix the session cookie to the browser's UA string, but that won't work if the attacker knows you're doing it and changes his browser's UA string to match yours. In summary, secure your wireless AP if you're a user and buy some SSL acceleration hardware so you can support forcing all traffic on your website to use SSL if you're a service provider.

Re:

[TheRaven64 (641858)]

Even if he's not NAT'd, if he's on the same WLAN then he's on the same broadcast segment as the real owner of the IP, so he can just send packets claiming to be from the legitimate user and run his interface in promiscuous mode to grab the replies.

Security is an application-layer problem.

[Kadin2048 (468275)]

In summary, secure your wireless AP if you're a user and buy some SSL acceleration hardware so you can support forcing all traffic on your website to use SSL if you're a service provider.

I agree with the latter recommendation about using SSL, but saying 'secure your wireless AP' doesn't do a lot to help the many public wifi locations; I think it's unhealthy to ever assume that a wireless connection will be secure. As more wireless networks are rolled out, and more people get laptops with built-in wireless and traipse happily from home to their local coffeeshop, where they're sharing an IP and an unencrypted connection with many untrusted users, opportunities for sniffing and hijacking are only going to become more common.

As users demand more portability, security and authentication need to be moved (and kept) up at the application layer, and not simply assumed as part of the datalink or physical layers.

Re:

[trifish (826353)]

I've just read TFA and realised that all people in the room were sharing the same IP address, so what I described in parent post wouldn't help. The only thing they can do is force SSL to all requests.

Re:Correct me if I'm wrong but

[vidarlo (134906)]

Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid.

More often than not, all users of a wireless net is behind a NAT device, which makes all the devices have the same official IP. The same applies to most domestic, workplace and school wlans, so really, that would make little or no difference. Now, in a IPv6 world, it would make a difference, since everyone has a unique IP there...

Firefox

[Sierpinski (266120)]

I don't have the extension that forces it to use SSL, but all you have to do to force the connection manually is add the 's' after http, and the session will reload under SSL. Hopefully you haven't already been compromised at that point.

I'm going to look for the Firefox extension now...

O RLY?

[Control Group (105494)]

I'm sure everyone's going to bitch about how Google should use SSL for everything. And from a marketing perspective, maybe they should.

But the openness of your wireless network really isn't their problem. You don't blame the banks if you shout your PIN out while you're at the ATM, do you? Or, more aptly, you don't blame the bank if you trust your ATM card and PIN to some stranger in a coffee shop.

It isn't Google's responsibility to secure your connection end-to-end. It's far more reasonable to think that it

Not the network's job.

[Kadin2048 (468275)]

That's dumb. An application should never assume that the network it's connected to is secure. It doesn't matter whether you're plugged into switched Ethernet, a wireless LAN, or IP over carrier pigeon -- if you're designing an application that's going to transmit sensitive/assumed-private data (which email clearly is), it's a mistake to just blithely assume that the network is in any way secure.*

An application like Gmail should be treating all network connections as though they're unencrypted Wifi (or hubbe

Always use https://gmail.google.com

[StandardCell (589682)]

Although they don't have a public key scheme strong enough for the AES-256 (requires 15360-bit RSA or 256-bit ECC for public key), you should always be logging in using https://gmail.google.com/ [google.com] from all locations (even home) to ensure the entire session is encrypted.

ssl and gmai.

[jshriverWVU (810740)]

if you put a https instead of http for gmail.google.com it'll work. I dont understand why they don't do this by default if they already support it.

Easy fix

[teslatug (543527)]

Bookmark the secure address and use that (who wouldn't over open wireless??). You could also use http://www.customizegoogle.com/ [customizegoogle.com] with Firefox if you're using Gmail to force it to go to the secure URL.

Make it default to https

[ajs318 (655362)]

#  This is how I did it:
#
#  Actual snippet from my Apache configuration .....  mostly.
#  Some details have been changed to protect the innocent
#  And some details have been changed to protect the guilty
#
#  The virtual host "secure.mydomain.co.uk" cannot be accessed
#  by http; only by https.
#
#  The insecure port
<VirtualHost 10.11.12.13:80>
    ServerName secure.mydomain.co.uk
    DocumentRoot /var/www/
    <Directory /var/www/>
        RedirectMatch ^/[^iI] /insecure/
        # In this directory is a page with a dire warning
        # that https is required to access this server.
        # NB.  To avoid creating an infinite loop, we never
        # redirect if request begins with I or i.
    </Directory>
</VirtualHost>
#  The secure port
<VirtualHost 10.11.12.13:443>
    SSLEngine on
    .....
</VirtualHost>

Re:

[Constantine XVI (880691)]

Apple has nothing at all to do with it.

Re:

[Amiga Lover (708890)]

Apple has nothing at all to do with it.

Wow, you guys are getting quick. One minute for a denialist to chime in. I'm impressed.

Re:

[Constantine XVI (880691)]

You do realize that GMail and Apple aren't related at all, right? The FA didn't even mention Apple. ...but I'm guessing you didn't read it. This is Slashdot, after all.

Re:

[Control Group (105494)]

I can't tell if this is the troll version of the long con, or if you've really got some sort of point about Apple, here.

If the former, I have to say, it's a well-played troll. If the latter, it would be nice if you got off your ass and made whatever devastating point you're so coyly alluding to.

rofl

[SatanicPuppy (611928)]

Ha! Come on, give it up for the troll, that was funny.

Re:

[Kadin2048 (468275)]

I think he's making a reference to this event [slashdot.org].

Re:

[jrumney (197329)]

Under server settings for your mail account, make sure either TLS or SSL is selected if you want to ensure that your connection is encrypted. I think TLS, if available is the default. On servers that support STARTTLS, this is OK, but it won't warn you if your server does not support it. Its better to try the forced TLS, and if you get an error, try SSL. If you have to switch back because your server does not support either, at least you know its insecure and can change your behaviour on insecure networks to

Yes, it is.

[Kadin2048 (468275)]

You're right that the exploit itself really isn't that new. What's new is twofold:

1) It's being done to Gmail, a service provided by People Who Should Know Better.
2) There is now a tool that allows any script kiddie to do it, meaning that it's no longer a theoretical exploit; it's something that your next-door neighbor is going to be doing to you (or your slightly less-technically-savvy family/friends) if you don't take precautions.

#2 is probably most significant, since it's really what's going to cause #1 to change. Sometimes, producing a GUIed, Windows-based exploit tool is the fastest way to get a problem fixed, because it's the easiest way to turn an academic argument into a real-world security issue that will get resources thrown at it. (Of course, it may also land you in jail.)

Re:psh

[Applekid (993327)]

Maybe not, but the heavenly smell is basically a SSID broadcast of their existance to those interested in finding them.

Re:thank god...

[Howitzer86 (964585)]

I have never heard of anyone thanking God that they use Yahoo... in my entire life.