Point and click Gmail hacking at Black Hat

Posted by Humphrey Cheung

Las Vegas (NV) – I’ve just received an email that says “I like sheep”, but it wasn’t sent by my friend – it was sent by a hacker posing as my friend.  At the Black Hat security convention, Robert Graham, the CEO of errata security, surprised attendees by hijacking a Gmail session on camera and reading the victim’s email.  He went even further by demonstrating the attack to us in person, taking over another journalist’s Gmail account and then sending us sheep-loving emails.

 


Gmail hacking at Blackhat



The attack is actually quite simple.  First Graham needs to be able to sniff data packets and in our case the open Wi-Fi network at the convention fulfilled that requirement.  He then ran Ferret to copy all the cookies flying through the air.  Finally, Graham cloned those cookies into his browser – in easy point-and-click fashion - with a home-grown tool called Hamster.

The attack can hijack sessions in almost any cookie-based web application and Graham has tested it successfully against popular webmail programs like Google’s Gmail, Microsoft’s Hotmail and Yahoo Mail.  He stressed that since the program just uses cookies, he only needs an IP address and usernames and passwords aren’t required.

“I see ten people’s cookies on my screen, I just need to click on the guy’s IP address and I’m in. Once you get someone’s Google account, you’d be surprised at the stuff you’d find,” said Graham.

Graham gave us a first-hand demonstration of the attack in the press room.  George Ou, Technical Director of ZDNet and author of the blog “Real World IT” , bravely volunteered to be the victim by making a new Gmail account called getmehacked@gmail.com.  Ou logged onto Black Hat’s wireless network and emailed me a prophetic message, “Hey Humphrey, I'm about to be hijacked.”

While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou’s laptop and Google.  Graham then clicked on Ou’s IP address and Gmail page, complete with Ou’s recently sent message on the screen.  We photographed both Graham’s and Ou’s laptop at that time and posted it to the picture gallery.  You’ll see that the contents are exactly the same.

Reading email is one thing; sending email is much more exciting.  Graham typed out a short message, “I like sheep” and sent it to my account.  A short moment later, my Outlook popped with that message.  Interestingly enough, that message also appeared on Ou’s screen.

But if that wasn’t scary enough, Graham told us that he can even log in the next day or possibly several days later into the Gmail account.  “I can just copy the data to a file and replay it later.  I’ve been able to log into Gmail accounts one day later,” said Graham.

Since the attack relies on sniffing traffic, using SSL or some type of encryption (like a VPN tunnel) would stop Graham in his tracks.  However, many people browsing at public wireless hotspots don’t use such protections.

“You’re an idiot if you use T-Mobile hotspot,” said Graham.

You would think that Graham would be having lots of fun testing out his tools.  After all, the ability to read and send other people’s email with impunity would be enough power to send most people (especially at Black Hat) through the roof, but Graham says that isn’t so.

“I’m not having too much fun because I usually can’t send emails that say ‘I like sheep’”, said Graham.  Not wanting to break the law, his victims have usually been his friends or co-workers, but that’s about to change because of the free-fire nature of the upcoming Defcon convention’s wi-fi network.

“People expect to be hacked at Defcon, so I’m going to have a blast there,” Graham said.  He added that the Hamster tool will be released in the next few days.