SSL Gmail Not Safe — UPDATED Threat Level @badwebsites @DavidFeng

Google_logo

One of the big stories at DefCon last year was a security researcher’s demonstration of wirelessly sniffing users’ session cookies while they accessed their e-mail accounts or conducted e-commerce transactions via wireless networks. The attack allowed a hacker access to the victim’s Gmail or Hotmail account without needing to decipher the user’s password.

Now the security researcher who presented that info has found that even using SSL HTTPS to access your Gmail account — which was touted at the time as a surefire way to protect Gmail users against such an attack — is vulnerable to this hack.

Robert Graham of Errata Security says he’s been able to grab session cookies even when users access their account in a presumably secure manner. He describes the vulnerability on his blog:

In theory, using the HTTPS version of Gmail should protect you by going to https://mail.google.com/mail, but this doesn’t work as you think. The JavaScript code uses an XMLHttpRequest object to make HTTP requests in the background. These are also SSL encrypted by default – but they become unencrypted if SSL fails.

When you open your laptop and connect to a WiFi hotspot, it usually presents you with a login page, or a page that forces you to accept their terms and conditions. During this time, SSL will be blocked. Gmail will therefore backoff and attempt non-SSL connections. These also fail – but not before disclosing the cookie information that allow hackers to sidejack your account.

UPDATE: Reader Nicholas Weaver has pointed out a link to further discussion of this issue that might interest other readers. He’s also written up a nice clear description explaining the issue on his own blog.

STILL #HACKED ~>> http://bit.ly/bZksyL

i'm still hacked! autopost was blocked through google.... wtf??? also... tmomail [blackberry] email just started coming in with read receipts!! fuck that! i need a god damn phone....

lock thar shit down! not too thrilled with google or blackberry wifi right about now... have you my whois: list???

https://ssd.eff.org/tech

check this shit out.... http://bit.ly/bZksyL

Posted via web from ElyssaD's Posterous

Comments