ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Even SSL Gmail can get sidejacked

By | January 31, 2008, 2:09am PST

Summary: When Robert Graham demonstrated how Web 2.0 wasn’t safe at last year’s Blackhat, it was thought that at least the SSL mode (HTTPS) of Google Gmail would be spared from sidejacking.  That presumption now appears to be false according to this updated blog posting from Graham.  Even with SSL enabled, Gmail sessions can still be [...]

When Robert Graham demonstrated how Web 2.0 wasn’t safe at last year’s Blackhat, it was thought that at least the SSL mode (HTTPS) of Google Gmail would be spared from sidejacking.  That presumption now appears to be false according to this updated blog posting from Graham.  Even with SSL enabled, Gmail sessions can still be hijacked by Graham’s Hamster and Ferret (or less easily with Wireshark and Mozilla’s cookie editor).

Sidejacking is a term Graham uses to describe his session hijacking hack that can compromise nearly all Web 2.0 applications that rely on saved cookie information to seamlessly log people back in to an account without the need to reenter the password.  By listening to and storing radio signals from the airwaves with any laptop, an attacker can harvest cookies from multiple users and go in to their Web 2.0 application.  Even though the password wasn’t actually cracked or stolen, possession of the cookies acts as a temporary key to gain access to Web 2.0 applications such as Gmail, Hotmail, and Yahoo.  The attacker can even find out what books you ordered on Amazon, where you live from Google maps, acquire digital certificates with your email account in the subject line, and much more.

Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail’s JavaScript code will fall back to non-encrypted http mode if https isn’t available.  This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it won’t be able to connect to anything.  At that point in time Gmail’s JavaScripts will attempt to communicate via unencrypted http mode and it’s game over if someone is capturing the data.

What’s really sad is the fact that Google Gmail is one of the “better” Web 2.0 applications out there and it still can’t get security right even when a user actually chooses to use SSL mode.  Other applications like Microsoft’s MSN/Hotmail and Yahoo don’t even have SSL modes.  The fact that they use SSL mode for first time authentication and sign-in is irrelevant because they all drop down to unencrypted mode right after the user authenticates.

At this point in time, unless you’re using a secure wireless LAN with link layer security or unless you use a VPN and route all your traffic through the VPN gateway, you’re wide open to sidejacking for any cookie-using web application on any unencrypted wireless LAN.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Google Gmail, HTTP, SSL, Cookie, Sidejacking, E-mail Providers, Web 2.0, Ssl/Tls, Authentication/Encryption, Network Security, Security, Internet, Networking, George Ou
63
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Even SSL Gmail can get sidejacked
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
ZDNet requires cookies to work...
bjbrock 31st Jan 2008
when using talkback. This is ridiculous. According to this blog, this is a security risk. Even though security is not a real issue when using talkback, requiring cookies, by this blogs own admission is not the most secure way to conduct business.
0 Votes
+ -
The issue isn't specifically cookies or SSL
jred 31st Jan 2008
In the linked blog, he even states that some sites do it "right". The issue with gmail is that if SSL fails, it automatically drops to non-SSL mode, sending your ID cookie unencrypted.

But really, who cares about stealing your zdnet account? Just so they can post and pretend to be bjbrock?

Heyyyy... How do we know that's really you?
0 Votes
+ -
It's not cookies that are the problem
bmerc 31st Jan 2008
Cookies are neither secure nor insecure, they're just post-it notes. If you write your shopping list on a post-it note, there's not much security risk there. If you write your password on one, it suddenly becomes more serious. But don't blame the post-it notes themselves.


The issue is with the web sites using non-encrypted communication during authentication, not using cookies.
0 Votes
+ -
Almost right ....
fr0thy 31st Jan 2008
the trick is to use SSL for all of the communication. Then you're ok, because nobody sees your cookie (which translates to "valid user" on the web server).
0 Votes
+ -
All sites do this, including ZDNet
georgeou 31st Jan 2008
All sites do this, including ZDNet. That means if someone sidejacks you while you post a message here over a hotspot, then they'll be able to post messages as you.

I'm not going to tell you this isn't a problem or that there is an excuse for this, but compared to getting Hotmail, Yahoo, or Gmail sidejacked, this is a relatively small problem.
0 Votes
+ -
All sites do this
Magicianbp@... 4th Feb 2008
As some have said, I cannot talk about this issue at your level. However, I do have a concern about All sites do this including ZDNet and then saying there may or may not be a problem with is or that there is an excuse. Then comparing it to Hotmail, Yahoo, or Gmail sidejacked this is a relatively small problem. Isn't that saying that if ZDNet shoots you with a 22 cal. bullet that is a relatively small problem, because Hotmail, Yahoo and Gmail uses a 357 magnum? If this is a problem, then why don't the "experts" fix it when we communicate with their site? If this problem cannot be fixed, then why are we wasting time talking about it, it just goes with the idea that we are going to be using computers forever.
Thanks, Bob
0 Votes
+ -
This isn't your personal email
georgeou 4th Feb 2008
Again, I'm not excusing ZDNet or anyone else, this is a problem. But the worst thing that happens if you get sidejacked on ZDNet is that someone gets to post relatively anonymous talkback on behalf your somewhat anonymous account.

If someone sidejacks a GMail, Hotmail, Yahoo mail, etc is that they get to read your personal email past present and future. They also get to send email on behalf of you and acquire S/MIME digital signature certificates with your email account so they can pretend to be you. They can have interactive and insulting communications with other people on behalf of you and delete that conversation so you never knew what happened until you get a rude surprise.
0 Votes
+ -
Or can they?
d.s.williams 8th Feb 2008
That may or may not be so. Yahoo periodically asks you to re-enter your password, even if you wanted to be left logged on, and always asks for it if you want to make any changes to your account, such as changing passwords etc. Surely any sidejacker would get stopped at that hurdle, wouldn't they? I always assumed this was the reason for such hurdles in any case.
0 Votes
+ -
RE: Even SSL Gmail can get sidejacked
lovedong 12th Sep
Taking both! Thank you! =) replica watches
0 Votes
+ -
RE: Even SSL Gmail can get sidejacked
shoktai@... 31st Jan 2008
Not sure what you mean by "if https isn???t available", but if you use the CustomizeGoogle extension to Firefox, you can force GMail to use https: all the time.
0 Votes
+ -
That only addresses the webpage, not the JavaScript
georgeou 31st Jan 2008
That only addresses the webpage, not the JavaScript dropping back to HTTP problem.
0 Votes
+ -
Nonrepudiation
tw_cook 31st Jan 2008
While my GMail account may get sidejacked. People that I communicate with will know if I sent the email or not because I use Evolution as a client and every message is signed by me. I VERY seldom use the webmail access. It isn't convenient nor is it as safe as POP/SMTP.
0 Votes
+ -
POP/SMTP Secure?
GeneBuettner 31st Jan 2008
Uhhh... POP3 & SMTP are wide open. If you're on an unencrypted wireless or other open network, sniffing your password in clear text is a breeze. And if I hacked into your GMail account I may not be e-mailing your contacts but be spewing SPAM from your account that Goole and the would swear came from you.
0 Votes
+ -
GMail's POP/SMTP is encrypted
scott_c_jordan 31st Jan 2008
Gmail uses SSL for POP connections and TLS for SMTP. So "wide open" would not appear to be a correct description, this latest vulnerability aside.
0 Votes
+ -
Yes, it is secure if you use POP, SMTP, IMAP with SSL
georgeou 31st Jan 2008
Yes, it is secure if you use POP, SMTP, IMAP with SSL and/or TLS. I'm not sure if Google forces the use of SSL or not though but their instructions tell you to use SSL or TLS.
0 Votes
+ -
You and 0.1% of the other population use digital signature
georgeou 31st Jan 2008
You and 0.1% of the other population use digital signature. That still doesn't prevent someone from reading all of your email. It still won't prevent someone from using an automated Certificate Signup mechanism with Thawte to get their own X.509 certificate with your email account signed on it.
0 Votes
+ -
The Thwarte certificate won't match his.
CobraA1 31st Jan 2008
"It still won't prevent someone from using an automated Certificate Signup mechanism with Thawte to get their own X.509 certificate with your email account signed on it."

Problem is, the new certificate wouldn't match the one he's using - certificates are created in such a way that no two are alike. If they are set up properly to read his digital signature, they'll be notified immediately that the email is using a different certificate.

But you are correct that very few people use this technology.
0 Votes
+ -
Doesn't matter if it doesn't match, it will be a valid cert
georgeou 1st Feb 2008
Doesn't matter if it doesn't match, it will be a valid cert. Email clients won't care if the cert doesn't match, they'll report it as a valid cert.
0 Votes
+ -
digital signatures
dariced@... 20th Feb 2008
I'm in the legal field and digital signatures are used often. I don't know a lot about security but this has been going on for awhile with no problems I'm aware of in Chicago. Now, if you accidentially fax your defense strategy to the other party, that's a whole other matter happy
Dawn
0 Votes
+ -
RE: Even SSL Gmail can get sidejacked
VTSkiBum 31st Jan 2008
Is this an issue for people that do not store user names and passwords AND logout of Web 2.0 applications such as Gmail, Hotmail, and Yahoo when they are finished?
0 Votes
+ -
What happens is
fr0thy 31st Jan 2008
somebody listening to unencryted traffic on a network that your communication traverses can pick up your cookie of "session_id=hdfgsdfgskgsdkf" and use that themselves, assuming the server is coded dumbly enough to just accept that.
0 Votes
+ -
RE: Even SSL Gmail can get sidejacked
sabiodun@... 31st Jan 2008
it is very "alarming" and it is asking a lot of questions about the potentials of all WEB 2.0 applications, especially Saas, on their ability to secure coporate data.
0 Votes
+ -
When I am away from home...
D T Schmitz 31st Jan 2008
...my method is to set up a ssh secure shell SOCKS5 proxy to my home gateway PC.

This GUARANTEES that all web activity (including DNS) tunnel encrypts over public (hostile) networks to my home proxy.

As for using the Gmail Web interface, I rarely use it and prefer instead to run Kmail client with cache-imap on a WPA secured home network.

Kmail includes integrated SpamAssassin and ClamAV.

A good how-to for setting up Kmail with Gmail and imap can be found here.

No worries.

Your concerns George are valid ones!! Thanks.
0 Votes
+ -
Last line is misleading...
pheh@... 31st Jan 2008
If your server only talks HTTP/S the three way handshake
attempted on port 80 (HTTP) will never complete and the
data will be protected from sniffing regardless of how
ignorant your developers are.
0 Votes
+ -
If your server only talks HTTPS, that doesn't solve the JavaScript
georgeou 31st Jan 2008
If your server only talks HTTPS, that doesn't solve the JavaScript client spitting out your cookie information on HTTP.
0 Votes
+ -
Yes, it does...
pheh@... 31st Jan 2008
If your server isn't listening on port 80 for HTTP then you will never complete the tcp
three way handshake in order to talk HTTP and your javascript code will never be able
to send unencrypted data across the wire to your server.
0 Votes
+ -
Let me check on that
georgeou 31st Jan 2008
The hotspot scenario doesn't allow HTTP contact either and I believe it still sends out data. I need to verify with Robert Graham though.
0 Votes
+ -
Explanation...
pheh@... 31st Jan 2008
Sure, check with him. But keep in mind that my point isn't that there is no problem
with Googles implementation of Gmail security - that part I agree with.

My point is that the last line of your article is pretty simply misstating the facts
when you generalize the Gmail problem to all cookie based/authentication
applications being at risk to this methodology of attack if they aren't running under
an encrypted VPN or utilizing an encrypted wireless signal.

If the server only listens for SSL/TLS traffic then it is not subject to this type of
attack.
0 Votes
+ -
But no one blocks HTTP only mode
georgeou 31st Jan 2008
Even websites that shut down HTTP outlook webmail access have a place holder there that will redirect to the HTTPS version.
0 Votes
+ -
Thank you! Thank you BOTH!
ideallypc 31st Jan 2008
This is exactly the type of dialog that I look forward to viewing. I appreciate the simple back-and-forth of each position. There is no ego in this, just the facts and viewpoints of each of you who are both very qualified to discuss this topic at its basic level. I can't discuss the specific details at either of your level, but I do understand exactly what your postions are and appreciate that you are having this open discussion for the benefit of all of us mostly-educated tech professionals. Thanks!
0 Votes
+ -
RE: Even SSL Gmail can get sidejacked
Black Ru 31st Jan 2008


so, lessons are: 1)always close gmail sessions 2)do not use public WiFi hotspots if you are paranoid 3) use IMAP/ SMTP / POP3 over SSL/TLS
I think Gmail's strategy (fall back on http only if https fails) is a good security / usability compromise. After all, one should not use free email accounts for one's business or banking wink
0 Votes
+ -
It's a BAD compromise
georgeou 31st Jan 2008
There's rarely a time when HTTPS will fail and HTTP won't. Most users default to HTTP only anyways and those who EXPLICITLY choose HTTPS do so for a good reason and they don't want their JavaScript dropping down to HTTP.
0 Votes
+ -
RE: Even SSL Gmail can get sidejacked
hnkelley 31st Jan 2008
As someone else mentioned, the CustomizeGoogle Firefox extension will force GMail to keep all its communications encrypted. This is THE major issue and other websites (Yahoo, etc) need to have this as well. BUT, there may be another option. Machine specific, active cookies. What I'm wondering (I am not a programmer or a network security expert) is perhaps the cookie can be made to check to see if it's on the machine it was originally sent to. This could be done by checking MAC (I know that is spoof-able) or a combination of other data such as the machine's currently logged in user. I don't think cookies themselves can e active, but they can cause a communication with the server to check this. Anyone have any idea as to how this could be done or if it's even a good idea?
0 Votes
+ -
I'm not sure if that covers the JavaScripts dropping to HTTP
georgeou 31st Jan 2008
I need to check with Robert.
0 Votes
+ -
ok, so people who use cookies to autologin
JamesDoyle 31st Jan 2008
are the only ones that this affects? whats the big deal if thats the case?

or are we talking about session cookies?
0 Votes
+ -
Only WLAN affected
d.s.williams 31st Jan 2008
Not only that, but is it only people who use a laptop or WLAN who are affected, or could anyone be, regardless of how they connect locally?
0 Votes
+ -
WLAN is the easiest way to get sniffed
georgeou 1st Feb 2008
WLAN is the easiest way to get sniffed. It's possible to do get sniffed on a switched network too but it's a little harder to implement but not by much.
0 Votes
+ -
RE: Even SSL Gmail can get sidejacked
leegee 31st Jan 2008
Finally some publicity for this common, easy hack. Thanks, George.
0 Votes
+ -
Agreed, this needs a LOT more coverage
georgeou 31st Jan 2008
People just don't seem to care that their web sessions are wide open or that their home wireless is using WEP which can be cracked in a minute.
0 Votes
+ -
RE: Even SSL Gmail can get sidejacked
dobedani 31st Jan 2008
I'd suggest to use a wired LAN, if possible
0 Votes
+ -
That doesn't solve the problem for Wireless users
georgeou 31st Jan 2008
nt
0 Votes
+ -
vodafone wireless cards?
talukdar_m@... 31st Jan 2008
Now according to the techs at Vodafone, sidejacking shouldn't be possible on their mobile connect cards. I wonder if this is true or whether it would just be harder?
I'm trying to find some kind of white paper detailing how the connection and session takes place for a vodafone 3G card. Anyone have any good pointers?
0 Votes
+ -
3G is a lot more obscure
georgeou 31st Jan 2008
3G is a lot more obscure. It's possible if someone hacked one of the drivers for their cards so they can capture raw packets, then it's no safer than unencrypted Wi-Fi. But since no one has done this that I am aware of yet, it's unlikely.
0 Votes
+ -
Are you in danger if your cookie stores only...
jayk_z 31st Jan 2008
Are you in danger if your cookie
stores only your ID?

Or if it stores nothing at all?

This danger is only if your cookie has
your ID AND password?
0 Votes
+ -
If you set all login cookies...
jayk_z 31st Jan 2008
If you set all login cookies at all sites to remember
nothing...or at most your ID only...are you safe?
0 Votes
+ -
Meh
John Musbach 31st Jan 2008
I don't use my email for business so this isn't too critical for me, people who do use email for business communication should a) be using a work address and b) should not be manipulating their email account through a web interface so this issue becomes irrelevant to them. But hey, if you want to get access to some publicly accessible mailing lists then go ahead and hijack my gmail account... :P

- John Musbach
0 Votes
+ -
RE: Even SSL Gmail can get sidejacked
atari8bit@... 2nd Feb 2008
What do I think? I think Gmail does a better job than anything ELSE out there, that's what.

Msn Yahoo and Hotmail can go away.
0 Votes
+ -
Did you not get the part about Gmail being just as hackable?
georgeou 2nd Feb 2008
Did you not get the part about Gmail being just as hackable? All these services can be sidejacked. ALL OF THEM. Including Google Gmail.
0 Votes
+ -
Logging out AND not storing user names and passwords
VTSkiBum 4th Feb 2008
I still do not see an answer to at least 3 inquiries asking whether always logging out AND not storing user names and passwords is a safe way to proceed given the unquestionable security issue. If that is a solution/work-around, I think that is something important for us to know so we can act more appropriately (and advise people who look to us for advice as well).
0 Votes
+ -
RE: Even SSL Gmail can get sidejacked
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix