SSL-encrypted Gmail not safe to 'sidejacking' attacks, says researcher

Robert Graham, CEO of Errata Security, who last year found that it's possible to capture someone's session cookie via wireless eavesdropping, now says that even encrypted services such as Google's Gmail can sometimes provide him with a session cookie. This is a departure from his advice last August when he said SSL HTTPS sessions of Gmail should be immune.

Graham, working with David Maynor, created two tools (Ferret and Hamster), which together help him grab session cookies out of thin air, say, at a local hot spot, like an Internet cafe. Session cookies allow you to shop at an e-commerce site, then leave the page and return later without re-entering your password. One doesn't have to decode the user's password to exploit the session cookie, merely possess it.

Graham gave a live demonstration of his sidejack attack on an audience member's Gmail account at last year's Black Hat USA, displaying that person's inbox before a standing-room-only crowd.

Now Graham says that Gmail, in particular, will sometimes connect to a hot spot first via Javascript rather than SSL, and this allows his tool to grab the session cookie and thus read someone else's e-mail. The same could be true with Amazon.com and other Web 2.0 sites.

"In theory, Graham says, "using the HTTPS version of Gmail should protect you by going to https://mail.google.com/mail, but this doesn't work as you think. The JavaScript code uses an XMLHttpRequest object to make HTTP requests in the background. These are also SSL encrypted by default, but they become unencrypted if SSL fails."

Graham provides more details in his blog.