How to hack Gmail 92 percent of the time

How to hack Gmail 92 percent of the time

Summary: Impossible? Apparently not, as US researchers have discovered.

SHARE:
48
screen-shot-2012-07-10-at-17-13-26

US researchers have discovered a flaw which may exist across Android, Windows, and iOS operating systems, and could allow popular services such as Gmail to become compromised.

Security experts from the University of California Riverside Bourns College of Engineering and the University of Michigan identified a weakness believed to exist in all of the above operating systems, which could allow a cyberattacker to steal sensitive data through malicious applications.

The weakness was tested through an Android smartphone, but the researchers claim the method could be used across all of the platforms -- as each OS shares a similar feature: the ability for applications to access a mobile device's shared memory. However, no tests have yet been conducted on other systems.

The attack works through a user downloading a seemingly harmless application, such as background wallpaper. Once installed, the researchers were able to exploit a newly discovered public side channel, the shared memory of a process, which can be accessed without permissions or app privileges.

Changes within the shared memory are then monitored, and these changes are correlated with what the team calls an "activity transition event." In other words, when a user is actively using an app, for example, to log into Gmail or take a picture of a cheque so it can be deposited online via Chase Bank, activity changes are noted.

There are two stages to this attack: firstly, the attack needs to take place in real time, such as the moment when the user is logging into Gmail. Secondly, the hack needs to be done so it is undetectable by the user -- which can be achieved through good timing.

The method used to exploit the flaw was successful "between 82 percent and 92 percent of the time" on six of the seven apps tested. Among the applications that were successfully infiltrated were Gmail, Chase Bank and H&R Block.

Attacks on Gmail were successful 92 percent of the time, as were attacks on H&R Block. Attacks placed on Chase, Newegg, WebMD and Hotels.com apps were successful 83 percent, 86 percent, 85 percent and 83 percent of the time respectively.

The only app that was difficult to penetrate was Amazon, with a 48 percent success rate. The reason Amazon is more difficult to crack is that the app allows one activity to transition to another activity seamlessly, making timed attacks less likely to succeed and activities more difficult to predict.

Zhiyun Qian, an associate professor at UC Riverside commented:

"By design, Android allows apps to be preempted or hijacked. But the thing is you have to do it at the right time so the user doesn’t notice. We do that and that’s what makes our attack unique."

Qian suggests that users "don't install untrusted apps," and for developers, the researcher says that a more careful tradeoff between security and functionality needs to be set in stone.

The paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks," (.PDF) will be presented 22 Aug at the USENIX Security Symposium in San Diego. A video of one of the attacks in action is below.

Read on: US, German researchers create framework for core Android security modules

Topics: Security, Android, Apps, iOS, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

48 comments
Log in or register to join the discussion
  • Right of reply?

    The project - and the article - make serious accusation against OS and applications; gmail more than most. Did anyone, at any time bother to ask them for comment?
    [that's journalism 2.01 - maybe next year?]

    I note there hasn't even been peer review yet.
    Heenan73
    • Bingo!

      That's our biggest problem with 'Journalists' of today.

      Anyone today can write a 'story' and post in on-line. There are no guarantees that the 'story' has been properly vetted for facts or that all parties mentioned have had an opportunity to comment before the 'story' is let loose on to the internet.

      Facts have become less important in order to be 'First' to post and most of today's society DO NOT question the accuracy or completeness of what they read IMO.

      The old excuse for lazy consumers....

      "If it's on the internet, so it must be true"


      This is actually an interesting article, but is clearly not complete. It would nice if this was presented as a multiple-part INVESTIGATIVE story. Inquiring minds want to know ALL the facts.

      No disrespect intended for Charlie Osborne, but I just wanted to express my agreement with Heenan73's comment and express my opinion.
      GotThumbs
      • Journalists??

        Good lord that was a long time ago. Nowadays it's just economical bloggers and self-proclaimed (otherwise unemployed) writers for hire. Witness your author here with a degree in "Medical Anthropology" for example.

        It reminds me a little of fellow uni students who chose to pursue a degree in 18th century French poetry, or similiar 'unemployment-in-waiting' type pursuits.
        Flawless Cowboy
        • Except that...

          You have not mentioned whether or not (1) you have a degree in the first place and (2) on what basis you an critique the value of the degree under question. Indeed, perhaps a third question can be posed to you: Are you, in fact, an educated - degree or otherwise - in the first instance?
          crystalsoldier
          • "You have not mentioned whether or not (1) you have a degree..."

            Ahh...nor have you Ace. Which makes YOU look like sort of a hypocrite, now doesn't it.

            And for the record...no I do not. But having a degree does not make anyone smarter...just means they have more information on a particular subject.

            I'm a Sys Admin for a major research University, and some of the stupidest people on the planet work here...and have a PhD after their name.
            IT_Fella
          • Ah...

            No it does not. The reason I flagged that comment is because regardless of what the content of the post is, why would anyone denigrate the author of the piece based on her degree? And, in light of your specific comment, what is worrying is the lack of appreciation which, in turn, stems from a lack of understanding of what it takes to get a PhD - regardless of the subject area. And, as for your observations regarding "stupidest people" having PhD, consider for a moment what they may privately think about you!
            crystalsoldier
    • Since you are a troll

      If this was about outlook.com or Microsoft you would be all over it as that is Microsoft. But your beloved scroogle is outed and then it is protect the hive time. You are such a phony.
      hoppmang
      • aww and I hoped to get in before the inevitable "troll" tard..

        People who disagree are not "trolls", they simply disagree with you.

        Sack up soldier, and accept it like an adult.
        Flawless Cowboy
      • If this was about outlook.com or Microsoft

        Not even true ... I even posted just a couple of hours ago defending microsoft on another topic (appstore)>

        I go on the facts, and I don't like sloppy journalism. Get over it.
        Heenan73
      • Hello McFly?

        Do you skip straight to comments after reading article titles? The article title is ludicrous given the content. This is about Android, iOS, and Windows phone and likely any application run on them.
        You are the phony full of baloney or hopped up on something mang.
        Huckleseed
        • IOS

          I don't believe IOS has shared memory. The ability of one Android app to be able to interact with the shared memory of another app was mentioned long ago in security discussions.
          hforman@...
      • The article did mention Windows,

        Android and iOS operating systems. What was not mentioned was Desktop Linux OS's.
        BoxOfParts
        • oh but

          The Linux mob love telling us that Android is Linux so I guess that does mean Linux desktops as well...
          aesonaus
          • Get real

            So a real live anti-Linux troll rears its ugly head, you just couldn't resist taking a swing at Linux. But you got two things (most likely more) totally screwed up in your head. Android runs the Linux Kernel, GoOgle wrote their own code on top of it and called it Android. It won't affect Linux desktops because Linux desktop OS's aren't mobile devices. Linux also has an extra layer of protection in how it deals with shared memory, permissions have to be set.
            But even if it did pertain to Linux, as secure as it is, it won't make a difference if you're installing unsecure or infected apps on the OS.
            Thanks for trying to turn an otherwise normal thread into an anti-Linux war. {Sarcasm}
            Tinman57
          • If

            If I were to use your line of thought, then it's the Microsoft OS's that's at fault here, but that wouldn't be quite fair, even though this IS the fault of Microsoft the company.....
            http://www.zdnet.com/the-microsoft-store-a-wretched-hive-of-scams-and-fake-apps-7000032878
            Tinman57
    • The papers reports

      The paper reports results confirming that a hack was successful.
      http://ucrtoday.ucr.edu/24266

      Sufficient information is provided that other researchers can do their own experiments.
      ka5s@...
    • Already Common Knowge

      Including side-loaded apps, Android "allows" one app to see the shared memory of another app. This hasn't changed in years so I don't consider this to be anything new.
      hforman@...
  • Anything Google is insecure... privacy holes, security holes,

    .
    Owl:Net
    • Microsoft

      Taught them well.
      Alan Smithie
    • Someone didn't read past the headline.

      This article has VERY little to do with Google. The process described is to basically download spyware onto your device. Once you do that, ANYTHING you do on your phone is insecure, no matter what brand of phone you have or what service you're accessing. Why they chose to say Gmail in the headline instead of that is beyond me.
      AnomalyTea