Robert Graham (CEO Errata Security) gave his Web 2.0 hijacking presentation to a packed audience at Black Hat 2007 today. The audience erupted with applause and laughter when Graham used his tools to hijack someone's Gmail account during an unscripted demo. The victim in this case was using a typical unprotected Wi-Fi Hotspot and his Gmail account just popped on the large projection screen for 500 or so audience members to see. Of course had the poor chap read my blog about email security last week he might have avoided this embarrassment. But for the vast majority of people using Gmail or any other browser or "Web 2.0" application, they're all just a bunch of sheep waiting to be jacked by Graham's latest exploit.
I caught up with Graham after the show and we went over more of the details of this Web hijacking exploit. First he captures the Wi-Fi signals using his laptop and a tool called Ferret which he wrote earlier this year. The tool grabs Cookies and Session IDs from your Web Browser session sent over the air and stores it.
Next, Graham fires up his new tool called Hamster (which he will post within the next week) which will process those Session IDs and Cookies so that they're ready to clone.
Captured Session IDs and Cookies
Hamster hosts a local proxy server that allows point-n-click hijacking
The attacker can then go to his local Hamster proxy server to clone other people's Web identities and hijack their Web accounts.=
Once the identity is cloned, the attacker is able to jump on to online services like Gmail masquerading as the victim with full access to read and send email on behalf of the victim. Furthermore, the attacker can go to maps.google.com and find the victim's personal information like home address if it's saved in to Google Maps.
I volunteered to set up an account on Gmail called "GetMeHacked" and allowed Graham to perform the attack. I then got a test email to Humphrey Cheung (Sr. Editor TGDaily) who was also watching the attack. Cheung posted his story here.
Before I knew it, I got hijacked and Graham sent an email on behalf of me.
What makes this even scarier is that Graham can go back in to my Gmail account for at least several more days using the same hijacked Session ID and Cookies. In fact he doesn't even need to perform the hijacking immediately because he can record all the Wi-Fi Hotspot data and process it with Hamster at anytime before the Cookies expire. In one fell swoop the attacker can steal the identities of every Wi-Fi Hotspot user within a few hundred feet or a lot more if a larger antenna is used.
If you weren't already scared of using public Wi-Fi Hotspots before, this should drive the point home. Graham even mentioned the dangers of Municipal Wi-Fi the use of Anonymous Secure Hotspots to solve this problem which I wrote about a few weeks ago. For the time being however, there isn't much that can be done on the vast majority of Web 2.0 services. Gmail fortunately allows the user to manually force SSL mode which would solve this problem but unfortunately they don't turn it on automatically for all users so the vast majority of users are wide open to session hijacking. For now, a user's only effective solution is to use some sort of VPN gateway to encrypt all of their data but most people won't do that. Tools like Hamster and Ferret will hopefully raise awareness and get the public to demand more secure Hotspots and SSL-enabled online services.