New Tool for Old Gmail Account Hijacking Trick

« "Nobody Got Shot" Isn't an Argument Against WPA. | Main | iTunes as Network Security Tool »

August 11, 2008

New Tool for Old Gmail Account Hijacking Trick

The attack’s not new, but a tool to automate the process is:

“You log into your Gmail account on a wireless hotspot at the local coffee bar, being careful to do so by clicking on a bookmark that sends you to https://mail.google.com. In between reading your e-mail, for example, you surf over to another trusted Web site. A bad guy who has hijacked the establishment’s network sees that you’ve requested a new Web page and appends a tiny image at htp://mail.google.com to the new page you requested. Bingo. Your browser will spit out the Gmail cookie with your credentials.

“ If this weren’t enough, Mike Perry, a reverse engineer for San Francisco based Riverbed Technologies, debuted a software tool at the Defcon hacker conference that automates this cookie-stealing method for Gmail, as well as a number of other Internet heavyweights that he says are similarly vulnerable.

“ ’Web sites can say, ‘Only transmit cookies for the https:// version of these image elements, but Gmail, Facebook, Amazon and a whole bunch of other sites just don’t do this,’ Perry said.  

“I should note here that this attack is hardly new. Perry said he told Google about this problem a year ago, about the same time he posted an alert to the Bugtraq security mailing list about it. Late last month, Google finally announced a new setting for Gmail users labeled ‘Always Use https://’. While people who have selected this option are immune from this attack, many Gmail users may errantly assume that they are just as protected if they start the login process by typing a persistent, encrypted connection ( https://mail.google.com) into their browser.”  Perry’s releasing the tool in the next several weeks.

(Link)