News
"Black Hat" - WiFi is an easy key to unlock someone else's Gmail, Yahoo etc
by Dan Goodin | posted on 03 August 2007
Black Hat Users of Yahoo! Mail, MySpace and just about every Web 2.0 service take note: If you access those services using public Wi-Fi, Rob Graham can probably gain unlimited access to your account - even if you logged in using the secure sockets layer protocol.
Graham, who is CEO at Errata Security, demonstrated the hack to attendees of the Black Hat security conference in Las Vegas. The technique uses a plain-vanilla network sniffer to read the cookies returned by Google Mail, Hotmail and scores of other sites after a user has entered login credentials.
The websites rely on the cookie as a session ID to validate the browser as belonging to the person who just logged in. By copying the cookie and attaching it to a completely different browser Errata Security researchers showed it was easy to gain unfettered access to the accounts of others.
"If I sniff your Gmail connection and get all your cookies and attach them to my Gmail, I now become you, I clone you," Graham said during a presentation on Thursday. "Web 2.0 is now fundamentally broken."
The technique allowed Graham to open the Gmail account of an unsuspecting Black Hat attendee who had used the conference access point to get his email. Although the Errata Security chief closed the window several seconds after accessing it, nothing short of good manners prevented him from reading the person's messages, or, for that matter, accessing maps, calendar or other Google properties used by that person.
The hack caught our attention because it shatters a common assumption concerning secure surfing on public access points. Up until now, we felt relatively safe using hotspots to access email as long as we logged in with an SSL session. Yes, we knew that any subsequent pages that were not appended by "https" in the address bar were susceptible to snooping, but intruders still had no way to access the account itself.
Now we know better. Any session that isn't protected from start to finish by SSL is vulnerable to the hack. And because session IDs generated by most sites are valid for an indefinite period, that means intruders could silently access our accounts for years - even if we regularly change our passwords.
The only way Graham said he knew to work around the vulnerability is to use Google and select options that automatically keep Gmail, Google Calendar and several other properties encrypted throughout the entire session. (Check the Defcon Survival Guide for more on this.) If you use most other services, you're out of luck, as they all switch to an unencrypted browsing mode after login.
Copyright The Register® 2007
Technorati tags: WiFi
general news (wireless) - You can discuss this article on our discussion board.
in News
The worlds two biggest wireless patent trolls - Qualcomm and Broadcom - the fight continues
WiFi access, freshly made fruit smoothie, and breakfast? New chain opens in London
A GPS sports watch (with Bluetooth) that doesn't like water?
you're reading:
"Black Hat" - WiFi is an easy key to unlock someone else's Gmail, Yahoo etc
Google's head of patents believes the US patent system is "in crisis" following Blackberry lawsuit
Who knows what the iPhone is hiding when you browse a link over the air?