Tuesday, August 12, 2008

New Tool to Automate Cookie Stealing from Gmail, Others

A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://).


When you log in to Gmail, Google's servers will place what's called a "session cookie," or small text file, on your machine. The cookie identifies your machine as having presented the correct user name and password for that account, and it can allow you to stay logged in to your account for up to two weeks if you don't manually log out (after which the cookie expires and you are forced to present your credentials again).



The trouble is that Gmail's cookie is set to be transmitted whether or not you are logged in with a secure connection. Now, cookies can be marked as "secure," meaning they can only be transmitted over your network when you're using a persistent, encrypted (https://) session. Any cookies that lack this designation, however, are sent over the network with every Web page request made to the Web server of the entity that set the cookie -- regardless of which of the above-described methods a Gmail subscriber is using to read his mail.



As a result, even if you are logged in to Gmail using a persistent, encrypted https:// session, all that an attacker sniffing traffic on your network would need do to hijack your Gmail account is force your browser to load an image or other content served from http://mail.google.com. After that, your browser would cough up your
session cookie for Gmail, and anyone recording the traffic on the network would now be able to access your Gmail inbox by simply loading that cookie on their machine.

No comments: