The Register® — Biting the hand that feeds IT

Feeds

Flash: Public Wi-Fi even more insecure than previously thought

How to gain permanent access to Gmail accounts

By Dan Goodin, 2nd August 2007
  • print
  • alert

What you need to know about cloud backup

Black Hat Users of Yahoo! Mail, MySpace and just about every Web 2.0 service take note: If you access those services using public Wi-Fi, Rob Graham can probably gain unlimited access to your account - even if you logged in using the secure sockets layer protocol.

Graham, who is CEO at Errata Security, demonstrated the hack to attendees of the Black Hat security conference in Las Vegas. The technique uses a plain-vanilla network sniffer to read the cookies returned by Google Mail, Hotmail and scores of other sites after a user has entered login credentials.

The websites rely on the cookie as a session ID to validate the browser as belonging to the person who just logged in. By copying the cookie and attaching it to a completely different browser Errata Security researchers showed it was easy to gain unfettered access to the accounts of others.

Picture of Rob Graham with notebook computer sitting on his lap

Rob Graham displays the Gmail account of an unsuspecting Black Hat attendee

"If I sniff your Gmail connection and get all your cookies and attach them to my Gmail, I now become you, I clone you," Graham said during a presentation on Thursday. "Web 2.0 is now fundamentally broken."

The technique allowed Graham to open the Gmail account of an unsuspecting Black Hat attendee who had used the conference access point to get his email. Although the Errata Security chief closed the window several seconds after accessing it, nothing short of good manners prevented him from reading the person's messages, or, for that matter, accessing maps, calendar or other Google properties used by that person.

The hack caught our attention because it shatters a common assumption concerning secure surfing on public access points. Up until now, we felt relatively safe using hotspots to access email as long as we logged in with an SSL session. Yes, we knew that any subsequent pages that were not appended by "https" in the address bar were were susceptible to snooping, but intruders still had no way to access the account itself.

Now we know better. Any session that isn't protected from start to finish by SSL is vulnerable to the hack. And because session IDs generated by most sites are valid for an indefinite period, that means intruders could silently access our accounts for years - even if we regularly change our passwords.

The only way Graham said he knew to work around the vulnerability is to use Google and select options that automatically keep Gmail, Google Calendar and several other properties encrypted throughout the entire session. (Check our Defcon Survival Guide for more on this.) If you use most other services, you're out of luck, as they all switch to an unencrypted browsing mode after login. ®

Cloud based data management

COMMENTS

House Rules Send Corrections
All Reader Comments (36)
Latest Comments
Andrew

Tunnels

For the last year I've been sending everything through an SSH tunnel with a http proxy on the other end when using public WiFi. Ensures end-to-end encryption. While I know there's probably *some* way to compromise even this, it's much more secure than just relying on SSL.

If you have any access to an SSH server connected to a proxy, I strongly recommend this method.

0
0
Dan Kitchen

Multiple IP addresses and sessions

It should be noted that the majority of websites DO actually check that the IP address the cookie is being used from is the same that the login came from.

Although lots of companies use banks of proxy servers there is usually some session affinity to ensure that once you access a certain website your requests always come from the same proxy/cache. I have personal experience at one of my clients sites where they tried to load balance the internet connectivity across multiple DSL connections and requests would come from different IP's all the time, this broke pretty much all websites that required logins until the session affinity feature was switched on.

Although this attack is a vulnerability I think it's very insignificant in that it would be very time consuming to do, with little to no interesting/significant win for the hacker 99% of the time.

0
0
Anonymous Coward
Anonymous Coward

rinse repeat

This was brought up at least two years ago as possible and a reason not to use gmail in that fashion anyway I don't like gmail (nothing to do with security I just don't like the interface) but if you think about it your asking for it if you don't pay attention when security minded people point out a new service is vulnerable. Of course none of this means anything if your email is being forked over to outside parties by the service so none of them are safe and people that work there can always read them nothing email is private get used to it.

0
0

More from The Register

breaking news
Curtain drops on Apple Store ahead of WWDC: What lies behind?
Steve Jobs watching from on high. No pressure, lads
38
breaking news
Cold, dead hands of Steve Jobs slip from iPhones: The Cult of Ive is upon us
Billionaire biz baron's death clears way for uber-shiny iOS 7
135
Airbus imagines suitcases that find themselves
Point your mobe at your smalls to track their every move
44
Surprise! Intel smartphone trounces ARM in power trials
Tests show equal performance while sipping significantly less juice
87
Apple said to be 'exploring' 5.7-inch iPhone
Who's the copycat this time, Mr. Cook?
53
Review: Belkin Thunderbolt Express Dock
Missing Mac ports reunited, for a price
39
AMD announces 'world's first commercially available 5GHz CPU'
When is 5GHz not quite 5GHz?
67
breaking news
Samsung wins Apple MacBook contract, starts spitting out PCIe SSDs
Small-time card-shufflers are toast
13
Australian 'Apple tax' repealed for MacBook Air
But the new MacPro is priced at a premium
6
Magpie Apple plunders the competition for cosmetics, as egos run wild
Is it 1985 again?
119