What is Digg?Sponsored by HowLifeWorks
How Much Are You Over-Paying For Your Auto Insurance view!
howlifeworks.com - Car insurance rates have dropped leaving many people paying far more than they need to...
111 Comments
- peterlisanti, on 10/10/2007, -3/+191"Since the attack relies on sniffing traffic, using SSL or some type of encryption (like a VPN tunnel) would stop Graham in his tracks. "
You're an idiot if you don't use https://mail.google.com/mail
It's all about that little 's' people. - Nougat, on 10/10/2007, -1/+83So someone explain to me what this has to do with GMail in particular? GMail was what they used in the demonstration, but any non-SSL traffic would be susceptible, not just GMail. Right?
- inactive, on 10/10/2007, -7/+52Damn it, I thought this would tell me how to do it.
- vvaduva, on 10/10/2007, -2/+42This is why you encrypt your traffic....it's simple and free...this weird new technology called SSL.
use https://mail.google.com/mail/ and you'll be fine - merreborn, on 10/10/2007, -0/+34Yes, this is in no way limited to GMail.. And this attack has been *very* well known since the mid nineties.
http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft - merreborn, on 10/10/2007, -2/+20Also worth noting: this attack is as old as the session cookie (i.e. over a decade old).
The only novel thing about this article at all, is the fact that this "Hamster" tool makes the process simple enough a smack-addled one armed monkey could do it. - podgey22, on 10/10/2007, -4/+18Jesus Christ... Looks like we've got a new No-Hats.
You can EASILY replicate everything he "did" with ettercap, firefox and the cookie-editing plugin. It's a little more manual but it wouldn't take much longer than 20 minutes to script something together to make the process as easy. - podgey22, on 10/10/2007, -1/+14Yes.
- koonchu, on 10/10/2007, -1/+13Any tips on getting my iGoogle GMail link to take me to the secure version?
- EricJ2190, on 10/10/2007, -1/+12Yep, pretty much. As long as it is not encrypted, you can read the session information. And, of course, clone it.
- Nougat, on 10/10/2007, -2/+13Customize Google Firefox extension can "always use SSL in GMail" if you're so inclined.
But that doesn't say anything about the logon to your iGoogle page, which is not SSL, unless you also go to https://www.google.com/ig - shawnz, on 10/10/2007, -2/+12Buried as incorrect. All he did was get the cookie using standard methods and import it. And since its a LAN and presumably both users were on the same IP, it would have been nearly impossible to prevent. This hack could easily be applied to any web page that used cookies, and is neither remotely impressive nor gmail exclusive. And, if I were at a black hat convention and using wifi, you can be sure as hell i'd be tunneling and using static ARP, anyway.
- etnu, on 10/10/2007, -1/+11If someone is pulling a man in the middle on your network, you've got WAY bigger problems to worry about than encrypting your email.
- pivovy, on 10/10/2007, -1/+10There are much more Grahams around than you may think.
- AdmiralJimbob, on 10/10/2007, -2/+10My neighbour's name is Graham, but he doesn't own a computer. Is he undercover?
- EmmanuelGoldstn, on 10/10/2007, -2/+8The login page redirects to https, but after that your on a non SSL-encrypted page (i.e. no 's'). However, if you go to the https://mail.google.com site initially, it keeps the SSL connection throughout the rest of the site. Someone might not be able to sniff your password, but they could read the rest of the traffic in cleartext (e.g., any emails you open or compose).
- yogurtslinger, on 10/10/2007, -8/+14I would've sent an email that said "i like turtles"
- macha, on 10/10/2007, -2/+8Is Peter right? Is all that is needed is httpS ?
- MrSunshine, on 10/10/2007, -1/+7I go to http://gmail.com and expect Google to redirect me to the https:// one!
- idugcoal, on 10/10/2007, -1/+6That's what I was thinking, too. Is there anyone here comfortable enough in their understanding of SSL to confirm or deny whether this has anything to do with GMail in particular? I've always used the secure (https://) connection for GMail, and I rarely use wi-fi, but if anyone here can drop some science it would be one less thing for me to have to forget to worry about.
- akira117, on 10/10/2007, -0/+4Is there a reason to not redirect everyone to the secure page?
- orxor, on 10/10/2007, -2/+6When I go to gmail.com it redirects to https automatically. Perhaps other 3rd party apps are at fault.
- IanCal, on 10/10/2007, -0/+4Add document.links[i].href.search("https")==-1 to the ifstatement. Otherwise, if you click on https://mail.google.com you'll get httpss://mail.google.com
- bioskope, on 10/10/2007, -1/+5damnit all the pre-teens must be feeling so depressed because this article didnt turn out to be what they thought it would be. Reading the article wasnt really revealing. I mean this is not exactly the kind of ***** that you would think to be the highlight of a BlackHat Conference. I think this is getting so much popularity since it was Gmail in question that was at the receiving end.
- kualla, on 10/10/2007, -0/+3I VERY strongly would like to see Gmail incorporate a simple, yet useful security feature, to simply show the last time your Gmail account was logged on AND from which IP address.
Logging the IP could reveal if someone hacked/cracked your account and then the time could be used as evidence to find out who was using that IP address at that specific time. But if someone access your Gmail account on your own network at a time when you clearly weren't using Gmail then you know you have someone stealing your cookies/MITM attacks(or someone could be literally hoping onto your own PC and using Gmail too). - shawnz, on 10/10/2007, -0/+3Although not technically MITM, you're still interpreting data as it passes between the client and gateway. So, in principle, its an MITM attack.
- fkr3, on 10/10/2007, -0/+3It should actually be
if(document.links[i].indexOf("https") == -1)
document.links[i].href = document.links[i].href.replace("http", "https"); - christyfrink, on 10/10/2007, -1/+4The SSL problem is not specific to Gmail, as it's already been discussed. But- if you use the Gmail notifier for Mac, your info is still being passed through the network in plain text. There is a pretty obscure but simple way to tell it to use https, which can be found here: http://www.macosxhints.com/article.php?story=200707030100345.
- wisam, on 10/10/2007, -0/+2Every other webmail provider doesn't offer entire encrypted sessions. What they do is encrypt the authentication process i.e sending the password. After that, everything is sent in cleartext. Gmail is the only free email provider I know of that offer encryption for the entire session as an option. It consumes resources of both Google and the user so it is left for the user to choose.
- gann, on 10/10/2007, -0/+2no... if you go to https://mail.google.com then google knows that you want your ENTIRE session SSL'd. So the redirect after logged in in this case is to https, and you'll be safe.
Alright if you're still not sure, use this one
https://www.google.com/accounts/ServiceLogin?service=mail&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl - GeekyGerge, on 10/10/2007, -0/+2F.ull.Sto.ps?
- superdoug, on 10/10/2007, -0/+2Simply install this Firefox extension- https://addons.mozilla.org/en-US/firefox/addon/4866
It will convert all gmail links to https. - ninjafish87, on 10/10/2007, -1/+2NOTE: THE GMAIL ICON IN THE GOOGLE TOOLBAR DOES NOT TAKE YOU TO THE SECURE GMAIL.
- lothar250, on 10/10/2007, -0/+1So what... If you really care, you are paranoid
- m2paper, on 10/10/2007, -0/+1Then let's see people get hacked.
- neosublime, on 10/10/2007, -0/+1get the greasemonkey script to force all secure connections to google services.
http://userscripts.org/scripts/show/5951 - Daedalus17, on 10/10/2007, -0/+1Not all browsers will work on the secure page. Mainly really old browsers though.
- Jaymoon, on 10/10/2007, -0/+1He did explain how he did it...
"The attack is actually quite simple. First Graham needs to be able to sniff data packets and in our case the open Wi-Fi network at the convention fulfilled that requirement. He then ran Ferret to copy all the cookies flying through the air. Finally, Graham cloned those cookies into his browser – in easy point-and-click fashion - with a home-grown tool called Hamster." - s1ade, on 10/10/2007, -0/+1I don't know greasemonkey but can't you just change the replace("http", "https"); with replace("http:", "https:"); ?
More elegant, or does it break something I dont know? - cdorka, on 10/10/2007, -0/+1why on https://mail.google.com
there is no little lock icon indicating SSL encryption? - TheGonzo, on 08/13/2008, -0/+1Douche bag, goo djob, now Digg will be better with you
- iNunchuk, on 10/10/2007, -0/+1Interesting to note is that if you do a simple search query on Google for "Gmail" and you click the first result, it redirects you to http://mail.google.com - not https://mail.google.com
- Laurentvw, on 10/10/2007, -0/+1I like piggies
- cyberoidx, on 10/10/2007, -0/+1So do many others. Thats why most people get hacked. Hmmm.. nice page... whats the address.... gimmeurpw.com? who cares.. its the gmail login page.. why should i waste time typing gmail.com?
- inactive, on 02/05/2009, -0/+1Learn How Hack Gmail id From http://www.monkeydollars.blogspot.com
Learn How Hack Gmail id From http://www.monkeydollars.blogspot.com
Learn How Hack Gmail id From http://www.monkeydollars.blogspot.com
Learn How Hack Gmail id From http://www.monkeydollars.blogspot.com - IanCal, on 10/10/2007, -0/+1It's not MITM.
- IanCal, on 10/10/2007, -0/+1It does tell you how to do it:
"First Graham needs to be able to sniff data packets and in our case the open Wi-Fi network at the convention fulfilled that requirement. He then ran Ferret to copy all the cookies flying through the air. Finally, Graham cloned those cookies into his browser" - bradleyland, on 10/10/2007, -0/+1While I agree that this news is marginally short of "exciting" for what is supposed to be a giant black hat event, the person exhibiting this hack wasn't purporting that the technique was new. He was demoing a new application he wrote called Hamster. Hamster analyzes captured network data (which you can grab using whatever [ettercap if you wish, he used ferret]) and targets session IDs and cookie data. It's a pretty straight forward concept, and yes, you could grep/copy/paste/firefox-cookie-edit/etc your way through the whole operation, but Hamster is a LOT more than just a packet data analyzer. It has a nice little local proxy server and some web interface elements that are pretty damned nice if you're looking to strap on someone else's session and go browsing.
This definitely makes me think a little more about securing my sessions when on a public hotspot. - inactive, on 10/10/2007, -2/+3that initial https doesn't really matter, because after you log in, you are now using http, not https... so just copy the cookie created by the https login (doesn't matter that it is encrypted), and then copy the session id that is being used after the login (that auth=asoidjoaifja junk), and that's all there is to it...well maybe theres more than that, but it is very easy. though the attacker would need to be on your network, in order to attempt to sniff the traffic and be able to accomplish this.
Also, if you are checking your email at blackhat, and you don't expect to get hacked, your an idiot... - orphzirra, on 10/10/2007, -0/+1People should operate under the principle that anything they say in an email or IM that doesn't have encrypted text, (e.g. PGP) is going to be readable by someone at some point in its traversal of the internet.
-
Show 51 - 100 of 117 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is