Even SSL Gmail can get sidejacked

Summary:When Robert Graham demonstrated how Web 2.0 wasn't safe at last year's Blackhat, it was thought that at least the SSL mode (HTTPS) of Google Gmail would be spared from sidejacking.

When Robert Graham demonstrated how Web 2.0 wasn't safe at last year's Blackhat, it was thought that at least the SSL mode (HTTPS) of Google Gmail would be spared from sidejacking.  That presumption now appears to be false according to this updated blog posting from Graham.  Even with SSL enabled, Gmail sessions can still be hijacked by Graham's Hamster and Ferret (or less easily with Wireshark and Mozilla's cookie editor).

Sidejacking is a term Graham uses to describe his session hijacking hack that can compromise nearly all Web 2.0 applications that rely on saved cookie information to seamlessly log people back in to an account without the need to reenter the password.  By listening to and storing radio signals from the airwaves with any laptop, an attacker can harvest cookies from multiple users and go in to their Web 2.0 application.  Even though the password wasn't actually cracked or stolen, possession of the cookies acts as a temporary key to gain access to Web 2.0 applications such as Gmail, Hotmail, and Yahoo.  The attacker can even find out what books you ordered on Amazon, where you live from Google maps, acquire digital certificates with your email account in the subject line, and much more.

Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail's JavaScript code will fall back to non-encrypted http mode if https isn't available.  This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it won't be able to connect to anything.  At that point in time Gmail's JavaScripts will attempt to communicate via unencrypted http mode and it's game over if someone is capturing the data.

What's really sad is the fact that Google Gmail is one of the "better" Web 2.0 applications out there and it still can't get security right even when a user actually chooses to use SSL mode.  Other applications like Microsoft's MSN/Hotmail and Yahoo don't even have SSL modes.  The fact that they use SSL mode for first time authentication and sign-in is irrelevant because they all drop down to unencrypted mode right after the user authenticates.

At this point in time, unless you're using a secure wireless LAN with link layer security or unless you use a VPN and route all your traffic through the VPN gateway, you're wide open to sidejacking for any cookie-using web application on any unencrypted wireless LAN.

Topics: Security, Browser, Collaboration, Google, Networking

About

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.