Researcher: Web 2.0 vulnerable to cookie theft
Robert Graham of Errata demonstrates a way to steal Web 2.0 session cookies, and how to find zero-day vulnerabilities inside security applications.
LAS VEGAS--Robert Graham of Errata Security on Thursday showed how reverse engineering your security application can uncover a treasure trove of zero-day vulnerabilities. He also demonstrated a new man-in-the-middle attack scenario that affects several popular Web 2.0 sites. He did so in a talk at Black Hat titled "The Lazy Hacker's Guide to TCB (Taking Care of Business)."
David Maynor who is no stranger to controversy at Black Hat was scheduled to speak alongside Graham, but Maynor was called away at 4 a.m. by a client in need. Errata CEO Graham presented the talk solo.
In part one, Graham talked about hacking into TippingPoint's Zero Day Initiative. The Zero Day Initiative is a program where researchers are paid for new, undisclosed vulnerabilities. What Maynor and Graham found was that TippingPoint then sent out protection to its clients, protection that could be reverse-engineered, thus revealing the vulnerability. This happens with Microsoft patches as well; the difference is that these vulnerabilities haven't been made public. The methods shown in the Black Hat talk have since been fixed by TippingPoint, but Graham pointed out that the same processes could be used by other zero-day marketplaces, such as those by eEye and IBM ISS.
In the second part of the talk, Graham showed how he could wirelessly sniff the session cookies used by Web 2.0 sites such as Google Gmail, Facebook and MySpace.com. He said that these sites seem to ignore the fact that sniffing for session cookies has been around for years. As an example, during the talk, he sniffed the wireless in the room at Black Hat, and from those results, was able to pull out a session cookie for Gmail. Within minutes, he displayed, quickly, that person's Gmail account on the project screen. By doing this, he could send messages as that person, read all the mail in the account, change the settings, such as changing the sender message to "I love sheep," or change the screen colors. What he can't do is change the password on the account.
Graham said Gmail allows you to choose "https" protection, and urged everyone to do so. He said Facebook and other Web 2.0 sites don't offer that, making the theft of the session a possibility. For that, simply do not use those accounts in a public Wi-Fi setting, such as an Internet cafe or airport waiting area.