Free tool automates attacks on Gmail, Facebook
A security researcher will on Tuesday demonstrate a free, open-source tool designed to carry out automated man-in-the-middle attacks on users accessing popular sites such as Gmail, Facebook, LiveJournal and LinkedIn.
The tool, called The Middler, is designed to target users who access services via public networks in hotels, coffee shops and aeroplanes. Besides launching man-in-the-middle attacks, in which communications are intercepted so the attacker can pass his own data between the website and the client device, the tool can also compromise computers and even iPhones via their software-update mechanisms, according to researcher Jay Beale.
"If we share a LAN, I can view and modify all your traffic," Beale said on The Middler's website.
Beale is scheduled to demonstrate The Middler at October's SecTor conference in Toronto.
While the dangers of using a public network are already well-known, Beale said his tool takes exploitation to a new level of "brain-dead easy" simplicity and scalability. "The Middler allows an attacker with no web-application hacking experience to launch attacks that previously required substantial time and skill," Beale's company, InGuardians, stated on The Middler website.
The tool is intended to demonstrate a particular weakness found in many popular online applications — the use of clear-text HTTP transmissions for much of the user session.
While sites such as Gmail use encrypted HTTPS sessions for the login process, they switch back to clear-text HTTP for the rest of the session, Beale said.
"Many companies misunderstand that encrypting only their application's password form leaves their users very vulnerable to man-in-the-middle attacks," Beale noted.
The tool is able to hijack sessions for web applications such as Gmail, LiveJournal and LinkedIn without user interaction, Beale said. After hijacking a Gmail user session, the attacker can read the user's email, harvest the address book, send emails and prevent the user from logging out, among other things, he claimed. The LinkedIn exploit allows an attacker to read the user's full contact information and that of others on the user's personal network.
Beale plans to demonstrate the hijack of banking sessions, installation of a Trojan horse on a jailbroken iPhone, injection of Javascript into browser sessions and cross-site request forgery (CSRF) attacks.
The Middler is written in Python and uses a plug-in framework, intended to allow other developers to extend it or to integrate it into other security software.