http://blog.wired.com/27bstroke6/2008/01/ssl-gmail-not-a.html
By Kim Zetter
Wired.com
January 31, 2008
One of the big stories at DefCon last year was a security researcher's
demonstration of wirelessly sniffing users' session cookies while they
accessed their e-mail accounts or conducted e-commerce transactions via
wireless networks. The attack allowed a hacker access to the victim's
Gmail or Hotmail account without needing to decipher the user's
password.
Now the security researcher who presented that info has found that even
using SSL HTTPS to access your Gmail account -- which was touted at the
time as a surefire way to protect Gmail users against such an attack --
is vulnerable to this hack.
Robert Graham of Errata Security says he's been able to grab session
cookies even when users access their account in a presumably secure
manner. He describes the vulnerability on his blog [1]:
In theory, using the HTTPS version of Gmail should protect you by
going to https://mail.google.com/mail, but this doesn't work as you
think. The JavaScript code uses an XMLHttpRequest object to make
HTTP requests in the background. These are also SSL encrypted by
default - but they become unencrypted if SSL fails.
When you open your laptop and connect to a WiFi hotspot, it usually
presents you with a login page, or a page that forces you to accept
their terms and conditions. During this time, SSL will be blocked.
Gmail will therefore backoff and attempt non-SSL connections. These
also fail - but not before disclosing the cookie information that
allow hackers to sidejack your account.
[1] http://erratasec.blogspot.com/2008/01/more-sidejacking.html
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Jan 31 2008 - 23:31:56 PST