New Tool to Automate Cookie Stealing from Gmail, Others
LAS VEGAS, NEV. -- If you use Gmail and haven't yet taken advantage of a feature Google unveiled last week to prevent hackers from hijacking your inbox, now would be an excellent time to do that.
A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://).
When you log in to Gmail, Google's servers will place what's called a "session cookie," or small text file, on your machine. The cookie identifies your machine as having presented the correct user name and password for that account, and it can allow you to stay logged in to your account for up to two weeks if you don't manually log out (after which the cookie expires and you are forced to present your credentials again).
The trouble is that Gmail's cookie is set to be transmitted whether or not you are logged in with a secure connection. Now, cookies can be marked as "secure," meaning they can only be transmitted over your network when you're using a persistent, encrypted (https://) session. Any cookies that lack this designation, however, are sent over the network with every Web page request made to the Web server of the entity that set the cookie -- regardless of which of the above-described methods a Gmail subscriber is using to read his mail.
As a result, even if you are logged in to Gmail using a persistent, encrypted https:// session, all that an attacker sniffing traffic on your network would need do to hijack your Gmail account is force your browser to load an image or other content served from http://mail.google.com. After that, your browser would cough up your session cookie for Gmail, and anyone recording the traffic on the network would now be able to access your Gmail inbox by simply loading that cookie on their machine.
Not incidentally, there are multiple free tools that people can use to view all Internet traffic flowing across a wired or wireless network and arbitrarily inject images, links and other data into any Web traffic transmitted on the network. While this attack may be more typically executed on a wireless network, Dan Kaminsky's now-famous DNS bug could let attackers do this on a much, much larger scale, by corrupting an entire ISP's network.
To put this attack in perspective, consider the following scenario. You log into your Gmail account on a wireless hotspot at the local coffee bar, being careful to do so by clicking on a bookmark that sends you to https://mail.google.com. In between reading your e-mail, for example, you surf over to another trusted Web site. A bad guy who has hijacked the establishment's network sees that you've requested a new Web page and appends a tiny image at htp://mail.google.com to the new page you requested. Bingo. Your browser will spit out the Gmail cookie with your credentials.
If this weren't enough, Mike Perry, a reverse engineer for San Francisco based Riverbed Technologies, debuted a software tool at the Defcon hacker conference that automates this cookie-stealing method for Gmail, as well as a number of other Internet heavyweights that he says are similarly vulnerable.
"Web sites can say, 'Only transmit cookies for the https:// version of these image elements, but Gmail, Facebook, Amazon and a whole bunch of other sites just don't do this," Perry said. I should note here that this attack is hardly new. Perry said he told Google about this problem a year ago, about the same time he posted an alert to the Bugtraq security mailing list about it. Late last month, Google finally announced a new setting for Gmail users labeled "Always Use https://". While people who have selected this option are immune from this attack, many Gmail users may errantly assume that they are just as protected if they start the login process by typing a persistent, encrypted connection ( https://mail.google.com) into their browser.
Without checking the new "Always Use https://" setting in Gmail, users remain vulnerable to this attack.
"Google did not explain why using this new feature was so important," Perry said. "This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they're secure but they're really not."
Perry said he is currently investigating whether more sensitive targets, such as online banking sites, also may be vulnerable to this kind of attack.
If you're wondering how to best protect yourself when visiting online sites that may or may not force secure cookies, the best advice is to use the "logout" button when you are done using the site, as this will kill the cookie planted by the site.
I'm guessing many sites do not set the secure bit on their session cookies because it saves them money. It will be interesting to see how many sites change their practices within the next couple of weeks. Perry said he plans to publicly release his automated cookie-stealing tool in about two weeks.
August 10, 2008; 2:02 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Georgian Web Sites Under Attack
Next: Microsoft Patches 26 Security Holes
Posted by: Jesse Ruderman | August 11, 2008 3:43 AM | Report abuse
Posted by: MS | August 11, 2008 8:35 AM | Report abuse
Posted by: Sandro Gauci | August 11, 2008 9:28 AM | Report abuse
Posted by: draeath | August 11, 2008 10:40 AM | Report abuse
Posted by: rtt | August 11, 2008 11:20 AM | Report abuse
Posted by: BK | August 11, 2008 12:44 PM | Report abuse
Posted by: M Henri Day | August 11, 2008 12:50 PM | Report abuse
Posted by: TJ | August 11, 2008 1:05 PM | Report abuse
Posted by: umm.huh | August 11, 2008 2:43 PM | Report abuse
Posted by: Jeff G. | August 11, 2008 9:12 PM | Report abuse
Posted by: TJ | August 12, 2008 10:09 AM | Report abuse
Posted by: TJ | August 12, 2008 10:22 AM | Report abuse
Posted by: M in CT | August 12, 2008 12:20 PM | Report abuse
Posted by: TJ | August 12, 2008 2:34 PM | Report abuse
Posted by: TE | August 14, 2008 12:56 AM | Report abuse
Posted by: M in CT | August 14, 2008 12:28 PM | Report abuse
Posted by: DCreader | August 15, 2008 8:52 AM | Report abuse
Posted by: Rick | August 16, 2008 4:21 PM | Report abuse
Posted by: Petr | August 18, 2008 2:39 AM | Report abuse
Posted by: Lily | August 18, 2008 1:20 PM | Report abuse
Posted by: Chuck | August 18, 2008 3:27 PM | Report abuse
Posted by: Nym | August 19, 2008 1:21 AM | Report abuse
The comments to this entry are closed.