On BNET: 5 classic computer pranks
BNET Business Network:
BNET
TechRepublic
ZDNet

January 31st, 2008

Even SSL Gmail can get sidejacked

Posted by George Ou @ 2:09 am

Categories: Browsers

Tags: Google Gmail, HTTP, SSL, Cookie, Sidejacking, E-mail Providers, Web 2.0, Ssl/Tls, Authentication/Encryption, Network Security

When Robert Graham demonstrated how Web 2.0 wasn’t safe at last year’s Blackhat, it was thought that at least the SSL mode (HTTPS) of Google Gmail would be spared from sidejacking.  That presumption now appears to be false according to this updated blog posting from Graham.  Even with SSL enabled, Gmail sessions can still be hijacked by Graham’s Hamster and Ferret (or less easily with Wireshark and Mozilla’s cookie editor).

Sidejacking is a term Graham uses to describe his session hijacking hack that can compromise nearly all Web 2.0 applications that rely on saved cookie information to seamlessly log people back in to an account without the need to reenter the password.  By listening to and storing radio signals from the airwaves with any laptop, an attacker can harvest cookies from multiple users and go in to their Web 2.0 application.  Even though the password wasn’t actually cracked or stolen, possession of the cookies acts as a temporary key to gain access to Web 2.0 applications such as Gmail, Hotmail, and Yahoo.  The attacker can even find out what books you ordered on Amazon, where you live from Google maps, acquire digital certificates with your email account in the subject line, and much more.

Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail’s JavaScript code will fall back to non-encrypted http mode if https isn’t available.  This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it won’t be able to connect to anything.  At that point in time Gmail’s JavaScripts will attempt to communicate via unencrypted http mode and it’s game over if someone is capturing the data.

What’s really sad is the fact that Google Gmail is one of the “better” Web 2.0 applications out there and it still can’t get security right even when a user actually chooses to use SSL mode.  Other applications like Microsoft’s MSN/Hotmail and Yahoo don’t even have SSL modes.  The fact that they use SSL mode for first time authentication and sign-in is irrelevant because they all drop down to unencrypted mode right after the user authenticates.

At this point in time, unless you’re using a secure wireless LAN with link layer security or unless you use a VPN and route all your traffic through the VPN gateway, you’re wide open to sidejacking for any cookie-using web application on any unencrypted wireless LAN.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 54 Talkback(s)
RE:: Even SSL Gmail can get sidejacked
I can agree with the assertion that "cookies"
themselves are not the fault in this gMail
sidejacking scenario.

It is preposterous that, in the interests of
getting the e-mail throu... (Read the rest)
Posted by: wti Posted on: 03/01/08 You are currently: a Guest | | Terms of Use
ZDNet requires cookies to work...  bjbrock | 01/31/08
The issue isn't specifically cookies or SSL  jred | 01/31/08
It's not cookies that are the problem  bmerc | 01/31/08
Almost right ....  fr0thy | 01/31/08
All sites do this, including ZDNet  georgeou | 01/31/08
All sites do this  Magicianbp@... | 02/04/08
This isn't your personal email  georgeou | 02/04/08
Or can they?  d.s.williams | 02/08/08
RE: Even SSL Gmail can get sidejacked  shoktai@... | 01/31/08
That only addresses the webpage, not the JavaScript  georgeou | 01/31/08
Nonrepudiation  tw_cook | 01/31/08
POP/SMTP Secure?  GeneBuettner | 01/31/08
GMail's POP/SMTP is encrypted  scott_c_jordan | 01/31/08
Yes, it is secure if you use POP, SMTP, IMAP with SSL  georgeou | 01/31/08
You and 0.1% of the other population use digital signature  georgeou | 01/31/08
The Thwarte certificate won't match his.  CobraA1 | 01/31/08
Doesn't matter if it doesn't match, it will be a valid cert  georgeou | 02/01/08
digital signatures  dariced@... | 02/20/08
RE: Even SSL Gmail can get sidejacked  VTSkiBum | 01/31/08
What happens is  fr0thy | 01/31/08
That might mitigate the issue, I need to ask Robert  georgeou | 01/31/08
RE: Even SSL Gmail can get sidejacked  sabiodun@... | 01/31/08
When I am away from home...  D. T. Schmitz | 01/31/08
Last line is misleading...  pheh@... | 01/31/08
If your server only talks HTTPS, that doesn't solve the JavaScript  georgeou | 01/31/08
Yes, it does...  pheh@... | 01/31/08
Let me check on that  georgeou | 01/31/08
Explanation...  pheh@... | 01/31/08
But no one blocks HTTP only mode  georgeou | 01/31/08
Thank you! Thank you BOTH!  ideallypc | 01/31/08
RE: Even SSL Gmail can get sidejacked  Black Ru | 01/31/08
It's a BAD compromise  georgeou | 01/31/08
RE: Even SSL Gmail can get sidejacked  hnkelley | 01/31/08
I'm not sure if that covers the JavaScripts dropping to HTTP  georgeou | 01/31/08
ok, so people who use cookies to autologin  JamesDoyle | 01/31/08
Only WLAN affected  d.s.williams | 01/31/08
WLAN is the easiest way to get sniffed  georgeou | 02/01/08
RE: Even SSL Gmail can get sidejacked  leegee | 01/31/08
Agreed, this needs a LOT more coverage  georgeou | 01/31/08
RE: Even SSL Gmail can get sidejacked  dobedani | 01/31/08
That doesn't solve the problem for Wireless users  georgeou | 01/31/08
vodafone wireless cards?  talukdar_m@... | 01/31/08
3G is a lot more obscure  georgeou | 01/31/08
Are you in danger if your cookie stores only...  jayk_z | 01/31/08
If you set all login cookies...  jayk_z | 01/31/08
Meh  John Musbach | 01/31/08
RE: Even SSL Gmail can get sidejacked  atari8bit@... | 02/02/08
Did you not get the part about Gmail being just as hackable?  georgeou | 02/02/08
Logging out AND not storing user names and passwords  VTSkiBum | 02/04/08
I'm still trying to get an answer from Robert  georgeou | 02/04/08
I got the title but not the reasoning  dariced@... | 02/20/08
RE: Even SSL Gmail can get sidejacked  erikmidtskogen | 02/07/08
Nothing wrong with wireless LAN  georgeou | 02/07/08
RE:: Even SSL Gmail can get sidejacked  wti | 03/01/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here