Even SSL Gmail can get sidejacked

Even SSL Gmail can get sidejacked

Summary: When Robert Graham demonstrated how Web 2.0 wasn't safe at last year's Blackhat, it was thought that at least the SSL mode (HTTPS) of Google Gmail would be spared from sidejacking.

SHARE:

When Robert Graham demonstrated how Web 2.0 wasn't safe at last year's Blackhat, it was thought that at least the SSL mode (HTTPS) of Google Gmail would be spared from sidejacking.  That presumption now appears to be false according to this updated blog posting from Graham.  Even with SSL enabled, Gmail sessions can still be hijacked by Graham's Hamster and Ferret (or less easily with Wireshark and Mozilla's cookie editor).

Sidejacking is a term Graham uses to describe his session hijacking hack that can compromise nearly all Web 2.0 applications that rely on saved cookie information to seamlessly log people back in to an account without the need to reenter the password.  By listening to and storing radio signals from the airwaves with any laptop, an attacker can harvest cookies from multiple users and go in to their Web 2.0 application.  Even though the password wasn't actually cracked or stolen, possession of the cookies acts as a temporary key to gain access to Web 2.0 applications such as Gmail, Hotmail, and Yahoo.  The attacker can even find out what books you ordered on Amazon, where you live from Google maps, acquire digital certificates with your email account in the subject line, and much more.

Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail's JavaScript code will fall back to non-encrypted http mode if https isn't available.  This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it won't be able to connect to anything.  At that point in time Gmail's JavaScripts will attempt to communicate via unencrypted http mode and it's game over if someone is capturing the data.

What's really sad is the fact that Google Gmail is one of the "better" Web 2.0 applications out there and it still can't get security right even when a user actually chooses to use SSL mode.  Other applications like Microsoft's MSN/Hotmail and Yahoo don't even have SSL modes.  The fact that they use SSL mode for first time authentication and sign-in is irrelevant because they all drop down to unencrypted mode right after the user authenticates.

At this point in time, unless you're using a secure wireless LAN with link layer security or unless you use a VPN and route all your traffic through the VPN gateway, you're wide open to sidejacking for any cookie-using web application on any unencrypted wireless LAN.

Topics: Security, Browser, Collaboration, Google, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

54 comments
Log in or register to join the discussion
  • ZDNet requires cookies to work...

    when using talkback. This is ridiculous. According to this blog, this is a security risk. Even though security is not a real issue when using talkback, requiring cookies, by this blogs own admission is not the most secure way to conduct business.
    bjbrock
    • The issue isn't specifically cookies or SSL

      In the linked blog, he even states that some sites do it "right". The issue with gmail is that if SSL fails, it automatically drops to non-SSL mode, sending your ID cookie unencrypted.

      But really, who cares about stealing your zdnet account? Just so they can post and pretend to be bjbrock?

      Heyyyy... How do we know that's really you?
      jred
    • It's not cookies that are the problem

      Cookies are neither secure nor insecure, they're just post-it notes. If you write your shopping list on a post-it note, there's not much security risk there. If you write your password on one, it suddenly becomes more serious. But don't blame the post-it notes themselves.


      The issue is with the web sites using non-encrypted communication during authentication, not using cookies.
      bmerc
      • Almost right ....

        the trick is to use SSL for all of the communication. Then you're ok, because nobody sees your cookie (which translates to "valid user" on the web server).
        fr0thy
    • All sites do this, including ZDNet

      All sites do this, including ZDNet. That means if someone sidejacks you while you post a message here over a hotspot, then they'll be able to post messages as you.

      I'm not going to tell you this isn't a problem or that there is an excuse for this, but compared to getting Hotmail, Yahoo, or Gmail sidejacked, this is a relatively small problem.
      georgeou
      • All sites do this

        As some have said, I cannot talk about this issue at your level. However, I do have a concern about All sites do this including ZDNet and then saying there may or may not be a problem with is or that there is an excuse. Then comparing it to Hotmail, Yahoo, or Gmail sidejacked this is a relatively small problem. Isn't that saying that if ZDNet shoots you with a 22 cal. bullet that is a relatively small problem, because Hotmail, Yahoo and Gmail uses a 357 magnum? If this is a problem, then why don't the "experts" fix it when we communicate with their site? If this problem cannot be fixed, then why are we wasting time talking about it, it just goes with the idea that we are going to be using computers forever.
        Thanks, Bob
        Magicianbp@...
        • This isn't your personal email

          Again, I'm not excusing ZDNet or anyone else, this is a problem. But the worst thing that happens if you get sidejacked on ZDNet is that someone gets to post relatively anonymous talkback on behalf your somewhat anonymous account.

          If someone sidejacks a GMail, Hotmail, Yahoo mail, etc is that they get to read your personal email past present and future. They also get to send email on behalf of you and acquire S/MIME digital signature certificates with your email account so they can pretend to be you. They can have interactive and insulting communications with other people on behalf of you and delete that conversation so you never knew what happened until you get a rude surprise.
          georgeou
          • Or can they?

            That may or may not be so. Yahoo periodically asks you to re-enter your password, even if you wanted to be left logged on, and always asks for it if you want to make any changes to your account, such as changing passwords etc. Surely any sidejacker would get stopped at that hurdle, wouldn't they? I always assumed this was the reason for such hurdles in any case.
            d.s.williams
  • RE: Even SSL Gmail can get sidejacked

    Not sure what you mean by "if https isn???t available", but if you use the CustomizeGoogle extension to Firefox, you can force GMail to use https: all the time.
    shoktai@...
    • That only addresses the webpage, not the JavaScript

      That only addresses the webpage, not the JavaScript dropping back to HTTP problem.
      georgeou
  • Nonrepudiation

    While my GMail account may get sidejacked. People that I communicate with will know if I sent the email or not because I use Evolution as a client and every message is signed by me. I VERY seldom use the webmail access. It isn't convenient nor is it as safe as POP/SMTP.
    tw_cook
    • POP/SMTP Secure?

      Uhhh... POP3 & SMTP are wide open. If you're on an unencrypted wireless or other open network, sniffing your password in clear text is a breeze. And if I hacked into your GMail account I may not be e-mailing your contacts but be spewing SPAM from your account that Goole and the would swear came from you.
      GeneBuettner
      • GMail's POP/SMTP is encrypted

        Gmail uses SSL for POP connections and TLS for SMTP. So "wide open" would not appear to be a correct description, this latest vulnerability aside.
        scott_c_jordan
      • Yes, it is secure if you use POP, SMTP, IMAP with SSL

        Yes, it is secure if you use POP, SMTP, IMAP with SSL and/or TLS. I'm not sure if Google forces the use of SSL or not though but their instructions tell you to use SSL or TLS.
        georgeou
    • You and 0.1% of the other population use digital signature

      You and 0.1% of the other population use digital signature. That still doesn't prevent someone from reading all of your email. It still won't prevent someone from using an automated Certificate Signup mechanism with Thawte to get their own X.509 certificate with your email account signed on it.
      georgeou
      • The Thwarte certificate won't match his.

        "It still won't prevent someone from using an automated Certificate Signup mechanism with Thawte to get their own X.509 certificate with your email account signed on it."

        Problem is, the new certificate wouldn't match the one he's using - certificates are created in such a way that no two are alike. If they are set up properly to read his digital signature, they'll be notified immediately that the email is using a different certificate.

        But you are correct that very few people use this technology.
        CobraA1
        • Doesn't matter if it doesn't match, it will be a valid cert

          Doesn't matter if it doesn't match, it will be a valid cert. Email clients won't care if the cert doesn't match, they'll report it as a valid cert.
          georgeou
      • digital signatures

        I'm in the legal field and digital signatures are used often. I don't know a lot about security but this has been going on for awhile with no problems I'm aware of in Chicago. Now, if you accidentially fax your defense strategy to the other party, that's a whole other matter :-)
        Dawn
        dariced@...
  • RE: Even SSL Gmail can get sidejacked

    Is this an issue for people that do not store user names and passwords AND logout of Web 2.0 applications such as Gmail, Hotmail, and Yahoo when they are finished?
    VTSkiBum
    • What happens is

      somebody listening to unencryted traffic on a network that your communication traverses can pick up your cookie of "session_id=hdfgsdfgskgsdkf" and use that themselves, assuming the server is coded dumbly enough to just accept that.
      fr0thy