http://blog.wired.com/27bstroke6/2008/01/ssl-gmail-not-a.html By Kim Zetter Wired.com January 31, 2008 One of the big stories at DefCon last year was a security researcher's demonstration of wirelessly sniffing users' session cookies while they accessed their e-mail accounts or conducted e-commerce transactions via wireless networks. The attack allowed a hacker access to the victim's Gmail or Hotmail account without needing to decipher the user's password. Now the security researcher who presented that info has found that even using SSL HTTPS to access your Gmail account -- which was touted at the time as a surefire way to protect Gmail users against such an attack -- is vulnerable to this hack. Robert Graham of Errata Security says he's been able to grab session cookies even when users access their account in a presumably secure manner. He describes the vulnerability on his blog [1]: In theory, using the HTTPS version of Gmail should protect you by going to https://mail.google.com/mail, but this doesn't work as you think. The JavaScript code uses an XMLHttpRequest object to make HTTP requests in the background. These are also SSL encrypted by default - but they become unencrypted if SSL fails. When you open your laptop and connect to a WiFi hotspot, it usually presents you with a login page, or a page that forces you to accept their terms and conditions. During this time, SSL will be blocked. Gmail will therefore backoff and attempt non-SSL connections. These also fail - but not before disclosing the cookie information that allow hackers to sidejack your account. [1] http://erratasec.blogspot.com/2008/01/more-sidejacking.html ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Jan 31 2008 - 23:31:56 PST