<<< Date Index >>>     <<< Thread Index >>>

Active Gmail "Sidejacking" - https is NOT ENOUGH



I have noticed several media articles recommending that users use
https to protect their gmail sessions from Robert Graham's
"Sidejacking" attackers. 

It turns out that independent of Mr. Graham's work, I have also been
investigating these types of attacks as they pertained to users'
safety while they use the Tor network.

As I presented in my Black Hat and DefCon talks on Securing the Tor
Network, it turns out that using https for accessing mail.google.com
is not sufficient to protect you from many "Sidejacking" attacks. The
'GX' authentication cookie for mail.google.com is set to be
transmitted for any type of connection (http or https). This is the
only cookie one needs to authenticate to gmail.

This "Any type of connection" property allows an attacker execute a
cross site request forgery attack to inject spoofed
'http://mail.google.com' content elements or meta-refresh tags into
ANY WEB PAGE loaded by a user. Repeat: the user does NOT have to be
using gmail at the time, they just need to have a valid 'GX'
authentication cookie from a prior login, and then visit ANY WEBSITE.
Upon fetching/executing these injected elements, the browser will
transmit the 'GX' cookie in the clear for the load of the spoofed
element.

Arp spoofing, DHCP spoofing, DNS spoofing, and TCP race-based attacks
(such as AirPwn) are all valid vectors for inserting these content
elements.

The ONLY way to be safe is to clear your google cookies immediately
after using gmail, or to mash the logout button. Obviously, being a
privacy advocate, I would prefer everyone did the former :)

Many other sites also have this same problem. In fact, I just
purchased an item from a site that failed to enforce that its cookies
are transmitted for "Encrypted Sessions Only".  The FireFox addon
CookieCuller is a nice easy way to inspect this property of cookies.
You should check your banks :)

Security is a hobby of mine - unfortunately I have neither the
interest nor the time to produce a proof of concept of this attack.
Quite frankly, I'd rather spend my free time helping to improve the
Tor network, rather than releasing attacks that may compromise its
users or the general public. My reluctance to release does not stem
from any particular moral opposition to full disclosure. If google and
other sites continue to ignore this issue, I may be motivated to make
a release. It is very likely "bad guys" will beat me to it anyway,
because this attack is relatively simple with the right MITM tools.

You can verify the validity of this attack by logging in to
https://mail.google.com. You will remain in https://mail.google.com
after the login is complete. Now, use CookieCuller to blow away all
but the 'GX' cookie. After this, close your gmail tab, and then visit
http://mail.google.com. You will still be authenticated.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpsEExNVtbXi.pgp
Description: PGP signature