Gmail Vulnerable to Sidejacking
Posted: Thu Feb 07, 2008 6:31 pm
Published: February 01, 2008 - 12:50PM CT
By Joel Hruska (arstechnica.com) -- Last August, security researcher and CEO of Errata Security Robert Graham demonstrated just how easy it could be access potentially serious user information. His technique (nicknamed sidejacking), intercepts session ID cookies from the WiFi signal and used for a number of purposes, including sending and receiving e-mail. This type of attack takes place after the end-user has securely logged on to a service. Virtually all companies provide a secure login portal, but many do not secure the connection thereafter, which exposes the end-user to potential hacking as described above. During his demonstration at the time, Graham said that Google Mail users could switch to https://mail.google.com and secure their session from such snooping—but he's now backed away from and qualified that statement.
According to Graham, Google's JavaScript code makes HTTP requests in the background via an XMLHttpRequest. By default, these requests are SSL-encrypted—but if SSL fails, they change to nonencrypted mode. When a user attempts to connect to a WiFi hotspot, Google Mail attempts to connect with SSL both enabled and disabled. Even if the attempt fails, session-ID cookies are still transmitted to the router, and can therefore be captured by anyone sitting nearby with an appropriately configured software suite.
Source: http://tinyurl.com/26mzxr