[loulug] Sniffing the Gmail session key
- From: Tobin Maginnis <ptm@xxxxxxxxxxxxxxxxxx>
- To: loulug freelist <loulug@xxxxxxxxxxxxx>
- Date: Thu, 09 Aug 2007 15:13:50 -0500
Sniffing the Gmail session key gives access to the
application, with all of the bells & whistles (searching
email, contacts, search history etc), while sniffing the
traffic gives you access to...well...just the email itself.
================
From: Roelof Temmingh [mailto:roelof@xxxxxxxxxxx]
Sent: Friday, August 10, 2007 12:46 AM
To: dave@xxxxxxxxxx
Subject: Gmail 'hacking' - some perspective
Dave - for IP if you wish:
At BlackHat in Las Vegas, Robert Graham had a demo of
'hacking' Gmail - the
media lapped it up and it even made Slashdot [
<http://it.slashdot.org/article.pl?sid=07/08/03/1241217>
http://it.slashdot.org/article.pl?sid=07/08/03/1241217], CNN
etc. Surely it
filtered to people on the IP list as well. Having worked on
the same issue I feel compelled to put it all in perspective.
On a positive side the following. The 'bug' is not new - I
reported the same issue to Google around June 2005 and was
told that another researcher (which I won't mention, but
know personally) have reported the issue to them a month
earlier. The issue has nothing to do with Web2.0 as was
mentioned in the BlackHat talk - it is plain simple session
hijacking that has been around since the introduction of
cookies as a state-keeping mechanism. As such - this is not
a Gmail problem specifically - in fact ANY web application
that transmits session information in the clear has exactly
the same problem. Furthermore the session time-out (or the
reported lack thereof) is as follows - if you checked the
'remember me' checkbox the session lives for about 2 weeks,
regardless of logout. If not, the session is destroyed about
10 minutes after logout. This is different than was
discussed during the talk, and has absolutely nothing to do
with the PREF-ID cookie that expires in 2038. In a 'properly
deployed system' the session time-out is actually quite
irrelevant as we'll see later on.
On the negative side the following. Robert showed how the
cookies can be grabbed using a sniffer. In real world a much
more effective way of doing it is using a transparent proxy
at ISP or large companies (which is in many cases already
deployed) and getting all data that flows through it. In
this scenario the ISP (or corporate network admin) will be
able to extract the cookies from the proxy and perform any
action on it - for example searching the user's email (all
of it, including older messages) for keywords, or collecting
the contact list. With this in mind the time-out of the
session does not play a part, as this hijack happens in real
time and requires no human intervention. The difference
between just sniffing the mail traffic and sniffing the
session is that getting access to the session gives access
to the application, with all of the bells & whistles
(searching email, contacts, search history etc), while
sniffing the traffic gives you access to...well...just the
email itself.
The solution to the problem is simply enforcing SSL for
entire session - thereby encrypting the session ID as well,
rendering sniffing in any form (either with a proxy or
dedicated sniffer) useless. Google indicated in their
response to me that this will burden their servers with
considerable load, and that you can force SSL by logging
into https:/mail.google.com. While this is a bit of a
work-around you are still redirected to the non-SSL page
when clicking the mail icon on Gtalk client etc., and it's
clear that many people just won't go through the hassle of
going the SSL route. Blaming Google for this entire issue is
a bit heavy, as most web mail services (and indeed many
other public web applications) are prone to the same problem.
What is interesting to me is the response this talk
generated from the press and the public - perhaps this is a
wake up call to understand just how little technical
knowledge of web applications goes around with the average
security conference attendee.
Regards,
Roelof Temmingh.
------------------------
Roelof Temmingh
+27 83 448 6996
GMT+2
Other related posts:
- » [loulug] Sniffing the Gmail session key
