Researcher: Google Mail vulnerable to sidejacking despite SSL

Researcher: Google Mail vulnerable to sidejacking despite SSL

By Joel Hruska | Published: February 01, 2008 – 12:50PM CT

Last August, security researcher and CEO of Errata Security Robert Graham demonstrated just how easy it could be access potentially serious user information. His technique (nicknamed sidejacking), intercepts session ID cookies from the WiFi signal and used for a number of purposes, including sending and receiving e-mail. This type of attack takes place after the end-user has securely logged on to a service. Virtually all companies provide a secure login portal, but many do not secure the connection thereafter, which exposes the end-user to potential hacking as described above. During his demonstration at the time, Graham said that Google Mail users could switch to https://mail.google.com and secure their session from such snooping—but he’s now backed away from and qualified that statement.

According to Graham, Google’s JavaScript code makes HTTP requests in the background via an XMLHttpRequest. By default, these requests are SSL-encrypted—but if SSL fails, they change to nonencrypted mode. When a user attempts to connect to a WiFi hotspot, Google Mail attempts to connect with SSL both enabled and disabled. Even if the attempt fails, session-ID cookies are still transmitted to the router, and can therefore be captured by anyone sitting nearby with an appropriately configured software suite.

Graham himself references Google Mail as an example of this problem, but it’s far from the only site affected, and the https:// alternative it offers is still better than what you can get on other sites. Facebook, MySpace, and Yahoo Mail are all affected by the issue, as are other “Web 2.0” sites. Graham implies that the solution to this issue to to encrypt the entire user session as financial institutions do, rather than only encrypting a login page—but in order for that to be successful, products like Google Mail obviously can’t drop back into non-SSL mode when attempting to connect.

Graham stops short of saying that Gmail is now a fundamentally insecure product, but the situation as a whole is obviously less than ideal. As wireless use continues to grow these types of security issues will have to be addressed in all facets of communication—even a handful of major wireless security scares could throw a scare into users.

Discuss Print

Comments RSS

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: