Researchers demonstrate webmail, social networking flaws

Users of popular social networking Web sites and Webmail such as Google's Gmail, are at risk of having their sessions hijacked by an attacker, researchers at Errata Security warn.

Researchers at Errata Security have developed tools that sniff out users of Web-based email and social-networking sites over Wi-Fi and hijacks their sessions.

Web 2.0 is fundamentally broken.
Robert Graham,
CEOErrata Security

Users of Google's Gmail, Microsoft's Hotmail and Yahoomail are at risk as are users of Facebook and other Web 2.0 social-networking Web sites, said Robert Graham, a security researcher and CEO of Errata Security. Software-as-a-service (SaaS) offerings such as are also at risk, Graham said.

"Web 2.0 is fundamentally broken," Graham said. "Using the tools it's easy to hijack other people's credentials. It's a fundamental flaw in Web 2.0."

Two tools, created by Graham and David Maynor, chief technology officer of Errata, are called Hamster and Ferret. They work in tandem over Wi-Fi to sniff out URLs and cookies and then store and translate the information to allow the attacker to open a Web-based email session without detection.

The sniffer detects the cookie data being transferred between a wireless router and a computer. Cookies are used for authenticating a user and can last for several years, allowing an attacker to sniff out the information and store it for future use, Graham said.

Graham demonstrated the tools during a session at Black Hat 2007, sniffing out URLs of users in attendance until he found a Gmail user and quickly opened up the person's session. Although the tools are still in their early stages of development – they lack an easy-to-use installer and are buggy– Graham said he plans to place them on his Web site to download for free.

The Black Hat session was called "Simple Solutions to Complex Problems, from the Lazy Hacker's Handbook." The technique is a lazy way to hack, Graham said, since a hacker could sit at a hotspot and easily hijack sessions.

While a hacker can browse through a person's email and change some settings, the hacker cannot change a password, because many Web 2.0 applications require a second log-in, Graham said. Google also allows users to use SSL to access their accounts, a feature that will bar an attacker from gaining access, he said.

James Booseman, a San Jose, Calif.-based security architect, who attended the session, said he was surprised by the demonstration. But Booseman said that by using the appropriate security steps when on public Wi-Fi, such as using a virtual private network, can avoid data leakage.

"It's about keeping yourself from being at risk," Booseman said. "I bet there are many people out there who are wide open to this kind of attack."

Read more on Wireless networking