Network News

X My Profile
View More Activity

New Tool to Automate Cookie Stealing from Gmail, Others

LAS VEGAS, NEV. -- If you use Gmail and haven't yet taken advantage of a feature Google 
unveiled last week to prevent hackers from hijacking your inbox, now would be an excellent time to do that.

A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://).


When you log in to Gmail, Google's servers will place what's called a "session cookie," or small text file, on your machine. The cookie identifies your machine as having presented the correct user name and password for that account, and it can allow you to stay logged in to your account for up to two weeks if you don't manually log out (after which the cookie expires and you are forced to present your credentials again).



The trouble is that Gmail's cookie is set to be transmitted whether or not you are logged in with a secure connection. Now, cookies can be marked as "secure," meaning they can only be transmitted over your network when you're using a persistent, encrypted (https://) session. Any cookies that lack this designation, however, are sent over the network with every Web page request made to the Web server of the entity that set the cookie -- regardless of which of the above-described methods a Gmail subscriber is using to read his mail.



As a result, even if you are logged in to Gmail using a persistent, encrypted https:// session, all that an attacker sniffing traffic on your network would need do to hijack your Gmail account is force your browser to load an image or other content served from http://mail.google.com. After that, your browser would cough up your
session cookie for Gmail, and anyone recording the traffic on the network would now be able to access your Gmail inbox by simply loading that cookie on their machine.



Not incidentally, there are multiple free tools that people can use to view all Internet traffic flowing across a wired or wireless network and arbitrarily inject images, links and other data into any Web traffic transmitted on the network. While this attack may be more typically executed on a wireless network, Dan Kaminsky's now-famous DNS bug could let attackers do this on a much, much larger scale, by corrupting an entire ISP's network.



To put this attack in perspective, consider the following scenario. You log into your Gmail account on a wireless hotspot at the local coffee bar, being careful to do so by clicking on a bookmark that sends you to https://mail.google.com. In between reading your e-mail, for example, you surf over to another trusted Web site. A bad guy who has hijacked the establishment's network sees that you've requested a new Web page and appends a tiny image at htp://mail.google.com to the new page you requested. Bingo. Your browser will spit out the Gmail cookie with your credentials.



If this weren't enough, Mike Perry, a reverse engineer for San Francisco based Riverbed Technologies, debuted a software tool at the Defcon hacker conference that automates this cookie-stealing method for Gmail, as well as a number of other Internet heavyweights that he says are similarly vulnerable.



"Web sites can say, 'Only transmit cookies for the https:// version of these image elements, but Gmail, Facebook, Amazon and a whole bunch of other sites just don't do this," Perry said.

I should note here that this attack is hardly new. Perry said he told Google about this problem a year ago, about the same time he posted an alert to the Bugtraq security mailing list about it. Late last month, Google finally announced a new setting for Gmail users labeled "Always Use https://". While people who have selected this option are immune from this attack, many Gmail users may errantly assume that they are just as protected if they start the login process by typing a persistent, encrypted connection ( https://mail.google.com) into their browser.



Without checking the new "Always Use https://" setting in Gmail, users remain vulnerable to this attack.



"Google did not explain why using this new feature was so important," Perry said. "This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they're secure but they're really not."



Perry said he is currently investigating whether more sensitive targets, such as online banking sites, also may be vulnerable to this kind of attack.



If you're wondering how to best protect yourself when visiting online sites that may or may not force secure cookies, the best advice is to use the "logout" button when you are done using the site, as this will kill the cookie planted by the site.

I'm guessing many sites do not set the secure bit on their session cookies because it saves them money. It will be interesting to see how many sites change their practices within the next couple of weeks. Perry said he plans to publicly release his automated cookie-stealing tool in about two weeks.

By Brian Krebs  |  August 10, 2008; 2:02 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Georgian Web Sites Under Attack
Next: Microsoft Patches 26 Security Holes

Comments

I think Google should default to using https-only login cookies when you log in using https://mail.google.com/. Users shouldn't have to know about this new Gmail pref to be secure against these attacks.

Making this change wouldn't hurt users, since Gmail can continue setting a normal, non-login cookie that instructs http://mail.google.com/ to redirect to https://mail.google.com/.

Posted by: Jesse Ruderman | August 11, 2008 3:43 AM | Report abuse


You have a contradiction in the article:

"allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://)"

'"Always Use https://". While people who have selected this option are immune from this attack, '

So are you immune if you are always accessing GMail through a secure connection? Based on your initial description, it doesn't sound like this is the case. It sounds as though Google needs to make a change before using https: will offer protection from the attack.

Posted by: MS | August 11, 2008 8:35 AM | Report abuse

The option: "Always Use https://" appears to solve the problem. However if that option is not explicitely set, even if Gmail is on https, then it is still vulnerable. Besides, other Google sites like Google Docs can expose your session cookie and are still vulnerable to this attack.

I was working on the same issue independently from Mike Perry and have published my own research, tool and demo at http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/

Posted by: Sandro Gauci | August 11, 2008 9:28 AM | Report abuse

A simple solution is to avoid using the web interface. Use Imap+SSL or Pop3+SSL and there are no cookies to attack.

Posted by: draeath | August 11, 2008 10:40 AM | Report abuse

This is the blurb from the bulletin:

» Security Fix | Brian Krebs reports that Gmail has unveiled a new security meassure from Google that keeps hackers from hijacking your inbox.

Does your spell check work on "meassure?"

Posted by: rtt | August 11, 2008 11:20 AM | Report abuse

MS -- It would seem to be a contradiction, but I suspect you glazed over this important part of the story:

"Now, cookies can be marked as "secure," meaning they can only be transmitted over your network when you're using a persistent, encrypted (https://) session. Any cookies that lack this designation, however, are sent over the network with every Web page request made to the Web server of the entity that set the cookie -- regardless of which of the above-described methods a Gmail subscriber is using to read his mail. The trouble is that Gmail's cookie is set to be transmitted whether or not you are logged in with a secure connection."

Why is that important? Even if you log in by visiting https:// and maintain an https:// session after that, *if you have not explicitly changed your gmail settings (in the "settings" page) to its new "Always Use https://" feature, then Gmail never sets that always secure session bit on the cookie.*

That means that if I can inject traffic on the network, I can force your machine to give up your Gmail cookie by merely sending you some traffic to anywhere at http://google.

Hence the quote from Perry:

"Google did not explain why using this new feature was so important," Perry said. "This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they're secure but they're really not."



Posted by: BK | August 11, 2008 12:44 PM | Report abuse

Alas, it is not quite the case, as Jesse Ruderman claims - at least not for me at any rate - that «[m]aking this change wouldn't hurt users». If I choose the «Always use https» option in my Gmail settings, neither the «Send to Gmail» button on the Google Toolbar for Firefox nor the similar feature in Picasa for Linux work. An update to the Toolbar which is said to address this problem is expected soon, but I'm not sure that the Picasa developers are aware of the problem....

Henri

Posted by: M Henri Day | August 11, 2008 12:50 PM | Report abuse

I'll second the suggestion of avoiding using webmail. I find it more secure to use a modern e-mail client, via SSL'ed IMAP or POP3, that also reads all mail in plain text (no active content) and disables automatic downloading of any images or web beacons (protects your privacy).

I never quite understood how reading e-mail in a browser is in any way secure. By default browsers read and execute active content that could compromise your privacy or worse if malicious could infect your computer. Many people don't realize that when using any potentially sensitive information (credentials, banking in particular), it is NEVER wise to browse to other sites (whether in another tab or window) where that information could be stolen. Instead limit it to one secure session at a time, be sure to use the log off function, close the browser, clear cookies and temporary internet files and start a new browser session.

Posted by: TJ | August 11, 2008 1:05 PM | Report abuse

@draeath and TJ
While you guys may be computer and Internet gurus, your replies may do a lot more good if your posts said how I would go about this. At work I use Outlook and at home I use MobileMess. While I am “on the Go,” I use web-based email much like everyone else.

Posted by: umm.huh | August 11, 2008 2:43 PM | Report abuse

Unfortunately, Google has not yet rolled-out the "Always use https://" for their Google Apps Standard users.

New features like these seem to take 2 to 6 months to finally filter down to Google Apps.

Posted by: Jeff G. | August 11, 2008 9:12 PM | Report abuse

Apparently Google messed up yesterday causing webmail problems.

http://isc.sans.org/diary.html?storyid=4865

http://mail.google.com/support

"From about 2 p.m. to 4 p.m. Pacific Time today, many Gmail users were unable to access their email. The issue is now resolved. We're very sorry for the interruption in service. The issue was caused by a temporary outage in the contacts system used by Gmail which prevented Gmail from loading properly. All mail is safe, though there may be minor delays with delivery."

Didn't affect POP3/IMAP access. Another reason to avoid webmail in my mind.

Posted by: TJ | August 12, 2008 10:09 AM | Report abuse

@umm.huh

As I commented on a previous Security Fix post, here is my solution:

"As to wireless access, I refuse to use it for anything other than browsing passive information (news, weather, sports scores, etc.) whether on a mobile device or computer. Anything that requires credentials is done via a hardwired connection on a trusted network using encryption (even POP3 via Outlook) on a secured computer. That way there is little chance of exposing my credentials."

As you can see, I don't buy into the 24/7 access via whatever device or connection that is most convenient. Security is always a trade off with convenience. I choose to lean heavily toward security. Call me paranoid. But it works for me because I'm comfortable with the risk level. I don't want to be low hanging fruit ripe for the picking.

Posted by: TJ | August 12, 2008 10:22 AM | Report abuse

@TJ and/or others:

I have AT&T as my internet service provider at home. They use Yahoo for the “my personal home page”. I have to log into this personal web page via https (and can save the login for 2 weeks before it again asks me to login). On this “personal home page”at the top, one of the windows is email (webmail) that shows me emails by subject only, if they have not yet been downloaded via my email client of choice ( which I profess, is not one of general choice).

Is this basically the same situation being talked about here, even if I don’t open the email from the “personal home page”. I have no other personal info on this “personal home page”, besides a weather window for my home town. Should I be concerned? I suppose I should not allow it to “remember” me for 2 weeks too (I have a choice to check off for this).

Posted by: M in CT | August 12, 2008 12:20 PM | Report abuse

@M in CT

Sounds similar in that an attacker may be able to get your Yahoo cookie. If you must use webmail, the following can limit your exposure.

Go directly to the secured login for your webmail (ex. mail.yahoo.com) which should redirect to a secure https page, then take you directly to your mail. Do NOT browse to any other site. When done, log out and close your browser and delete cookies and temporary internet files (prevents theft of any cookie regardless of choosing the two week option).

Finally, remember when using an e-mail client to set it up for a secure connection if possible. Otherwise the client is sending your credentials in plain text across the Internet for anyone to see. The exact method of doing so varies per client as well as per mail host. I know Yahoo doesn't allow POP3 access unless you pay for their premium mail service. As a reference, here are instructions for GMail:
http://mail.google.com/support/bin/answer.py?answer=75291

As to the personalized homepage, I would avoid them, especially when they're tied to an e-mail account. Again convenience versus security. Regardless of the ISP, your homepage can be anything you choose, even none (blank). I choose none so when I launch my browser and choose to login to a secure site, the slate is clean so to speak and the chance of cross site scripting or of any credentials being exposed is minimized. I also clear cookies and temporary internet files after every browser session.

Posted by: TJ | August 12, 2008 2:34 PM | Report abuse

Two points:

1. ####A bad guy who has hijacked the establishment's network sees that you've requested a new Web page and appends a tiny image at htp://mail.google.com to the new page you requested. Bingo. Your browser will spit out the Gmail cookie with your credentials.####

A bad guy (or gal) who has hijacked the network could more easily set up a malicious DNS service and send you to a fake Google webmail site from the start. Always use a manual setting for OpenDNS at hotspots.


2. ####I'm guessing many sites do not set the secure bit on their session cookies because it saves them money.####

When are people going to learn that they do NOT save money by ignoring potential security exploits, because sooner rather than later, they will be discovered and exploited, and then must be fixed after-the-fact when the damage is already done????

Posted by: TE | August 14, 2008 12:56 AM | Report abuse

Thanks TJ

Posted by: M in CT | August 14, 2008 12:28 PM | Report abuse

Please explain how to use an OpenDNS manual setting. Is there a setting in browsers or would one manually type the IP address of google or other pages visited?

Posted by: DCreader | August 15, 2008 8:52 AM | Report abuse

I didn't know session cookies could go into permanent storage. The ones I've seen stay in process memory - they're for browser sessions.

Having a setting that makes you secure: that's a good way to sum up the Google.

Great article.

Posted by: Rick | August 16, 2008 4:21 PM | Report abuse

A bad guy will not only spoof your gmail accpount but easily OpenDNS too.... It happens and no way out too in the near future...

Posted by: Petr | August 18, 2008 2:39 AM | Report abuse

The "Always Use https://" setting breaks your ability to use Gmail to email photos using Picasa.

Posted by: Lily | August 18, 2008 1:20 PM | Report abuse

What if you're denying cookies globally to the other sites that you're viewing? I only allow cookies to sites that I "trust". Does doing this mitigate some risk of being exploited by this attack?

Posted by: Chuck | August 18, 2008 3:27 PM | Report abuse

Google should just make 'always use https' the default if they are not going to come up with any better solution than this.

Posted by: Nym | August 19, 2008 1:21 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company