Jan 23, 2008

Unsecured WiFi and Gmail

by Eduardo Tongson filed under , ,

Many people are not aware of the dangers when browsing from unsecured wireless hotspots. To demonstrate to a friend I volunteered to sidejack his Google mail session.

Before I can do that I need to know what specific cookies Google needs for a valid session. By carefully reducing cookies one by one I got these two:

google.com / GMAIL_LOGIN=T1126079980530/1126079980530/0325079980125
mail.google.com /mail GX=DQAAAGoAAAD8gt_Ei66AAynLmNMuqhUTbig34xydickxZT5
qkXlfDkjksdjf39ekfatpigXYVSGqHaBhUNuQ93MSbf7boyhahap01V0l74ghmqajdvtv14X
8gQ1fRdqIdxzny5_CryNSSymSC6HR_Sf59oATsAPH
You have to issue another GET request to http://mail.google.com/mail/ after manipulating your cookies. If you click on the Inbox link at the left of the UI you will get logged out because of the Ajax acrobatics done by Gmail.
A weird behavior I experienced when using Opera, sometimes you can also get away with GMAIL_LOGIN and LSID:
google.com / GMAIL_LOGIN=T1126079980530/1126079980530/0325079980125
www.google.com /accounts LSID=mail|s.PH:DQAAAGoAAABhqZ-GPDI5CKISHnit7O-Y
GjjHquF6fFkYUZMuAcfackXzohvS_YRY3you8aCcBkFDwgkaN75F8t_ogagHoG0KyJy2z7yN
Cg6_R5yqINlmqE8YQG1j2WKsiJKCzKw6KC3mha86RjiI9FEHbTormjeg
This time around you have to click on the Inbox link at the left. You are not logged out but you get this error message in Opera: 'Oops...the system was unable to perform your operation (error code 007). Please try again in a few seconds'.
Other interesting findings:
  • The GMAIL_LOGIN and LSID cookie is tied to the username.
  • Signing out the session will revoke the cookies.
  • The rememberme cookie does not seem to make a difference when stealing GMAIL_LOGIN and GX cookies.
  • GMAIL_LOGIN or SID + LSID is enough for other Google services.

After a few minutes analyzing Gmail cookies I then fired up Aircrack-ng. With less than an hours' worth of pcap data, precious GMAIL_LOGIN and GX cookies are ready for picking. After editing the cookies on my currently logged in Gmail account and issuing a GET for http://mail.google.com/mail/ I was greeted by my friend's Inbox. He was flustered, sidejacking was a success.

Connecting to an unsecured WiFi is like connecting to a hub or broken switch. All your unencrypted streams are considered sniffer food. By the way always sign out after using your Google accounts and use https://mail.google.com/.

0 comments:

Post a Comment