Say hello to a new security tool called “Surf Jack” which demonstrates a security flaw found in many public sites. The proof of concept tool allows testers to steal session cookies on HTTP and HTTPS sites that do not set the Cookie secure flag. I’ve been working with two banks and some of the vulnerable sites to get this fixed before publishing my research. Mike Perry gave a talk at Defcon involving the exact same vulnerability – so there is no point in keeping this from the public.
You can download the tool from here and a paper with more details on the subject.
The following is a video demonstration of how this affects Gmail and how to prevent this from affecting your you.
Filed under: Research | 24 Comments
Tags: wireless security, surf jack, gmail, google, https security, bank security, surfjack, sidejack, forced sidejack, gmail security, google security, gmail hack, google hack, gmail vulnerability
http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html
rings a bell?
sure does ;) The paper obviously mentions that .. and it is what triggered the development of the surf jack tool.
Hey Sandro, excellent demo video. Good job man.
It’s worth mentioning that although Gmail now has the “enforce SSL” option, very few users will actually bother enabling it :( Unfortunately, Gmail – and all other large free webmail providers – don’t have the infrastructure required to handle all the extra overhead traffic caused by SSL.
Also, even if a site uses SSL and sets cookies using the ‘secure’ flag, couldn’t sessions still
be hijacked via SSL MITM? Of course, the victim would get an invalid certificate warning, but still many users ignore those.
Very true what you said about the “enforce SSL” option. People use defaults, only geeks change options and such ;-) So until it becomes easier for services such as Gmail to serve everyone with SSL, I don’t see the default changing.
Yes – SSL MITM still works if the user accepts an invalid certificate or the attacker has access to a valid key (like the case of the Debian issue of 3 months ago). It is however becoming more difficult to accept an invalid certificate with Firefox and IE. But truth is that yea, this will always work until current browsers stop allowing users to do (not so) stupid things.
bug when i choose my interface, line 271, 272..
currently the tool supports Scapy 1.x. The new scapy version 2 was not tested with Surf Jack and will probably not work.
Sandro,
A cookie marked as “secure” should be a simple workaround no ?
Congratulations Sandro is a great job…
Hello Sandro,
My 2 GMail password was hijacked. I can not acsess my accounts till now. One account at mail.gmail.com, one again at Google mail Apps custom domain.
After reading this, I give “always use https” for all my gmail acc. But in GoogleApps Mail it’s not provided (CMIIW).
I access the internet via WIFI to my ISP network. I think my ISP network was not secure. This is my assumption, cause I do not know how to check it.
So, I decide to move to DSL or Cellular (HSDPA) internet connection this month. I hope this is the best solution for my online access security. I’ll avoid WIFI. Give me your advice please.
I use backtrack 3.0 for posting this. But I do not find your apps for hijacking gmail (surfjack?) and other tools for waching the IPs as seen on the video.
Anyway, thanks for the information. I keep trying to take my gmail account back. It will be nice if you give me feed back.
Regards.
Hi Parah
For a home user, avoiding WiFi will normally reduce your exposure to this kind of attack; so I think that it is a good solution.
Regarding Backtrack – you simply need to download the file to the Backtrack machine from surfjack.googlecode.com. By making use of backtrack you avoid dependency hell ;-)
Goodluck with the Gmail account recovery!