A security researcher has been in discussions with Google regarding an exploit he plans to release that would allow a hacker to easily intercept someone's communications with supposedly secure websites over an unsecured Wi-Fi network.
According to the researcher, other sites, such as Facebook, Yahoo Mail, and Hotmail, are also vulnerable.
Mike Perry, a reverse engineer and developer at Riverbed Technology, said he announced on the Bugtraq email list a year ago a common flaw with the way websites implement the SSL (Secure Sockets Layer) protocol, which is designed to protect people's data when they surf the web. Typically, websites only use SSL for encrypting communications during the login stage, Perry said, thus exposing their users' cookies to theft via sniffing by someone else on the network. A tool exploiting this flaw was released last year by Robert Graham of Errata Security, at the same time as Perry announced his flaw.
Session cookies — which identify the machine as having used the correct username and password — have two modes: 'secure' and 'insecure'. The vulnerability disclosed by Perry targets sites that attempt to use SSL, but do not flag their cookies as secure. This flaw allows the cookies to be obtained by an attacker with access to the local network, and use them to pose as the web surfer and access that person's email accounts, bank accounts and other services, even if those users try to use HTTPS, Perry said.
Nothing was done to fix the SSL problems until a month ago, when Google announced that users can set Gmail to automatically encrypt communications between a browser and Gmail servers by default, instead of having to type in 'https://mail.google.com', Perry said.
However, accessing the site via the above address does not automatically preserve the secure session and the cookies can still be stolen, Perry said.
He said he has contacted security representatives at Hotmail, Yahoo Mail and Facebook about the fact that their sites remain vulnerable to a so-called 'man-in-the-middle attack' in which someone on the same Wi-Fi network hijacks the session cookies that are transmitted between a user's browser and a website. As of Friday afternoon, he had not heard back from them, he said.
Representatives at Microsoft and Yahoo said they were working on getting comment, while representatives at Facebook did not respond to emails or a phone message from sister site CNET News.com seeking comment.
Amazon encrypts communications related to payment but not purchase history and recommendations, according to Perry. An Amazon spokeswoman said the company does not comment on security measures.
Perry had planned to release his exploit tool, which automates the hijacking of the cookies, on Sunday — two weeks after he gave a talk about the vulnerabilities at the Defcon hacker conference in Las Vegas. Another exploit already exists that targets the same problem, he said.
"The motivation is to raise awareness and try and encourage these sites to adopt SSL and do it properly," he said in an interview on Friday.
Delaying release of the tool
But, Perry said he has decided to delay releasing the tool for an undetermined time after talking to Google.
Google is the only one of the major websites to offer users the option of setting automatic encryption for all the communications with the site and not just the login page, as well as to properly set the secure property of its cookies, Perry said.
Google said it is rolling out the option not just for consumer Gmail users but also for Google Apps enterprise users, and has launched it for the premier edition of Google Apps so that communications with Google Docs, Calendar and other included Google sites are encrypted.
It is also very possible that Google will make it so that the 'always encrypt' mode is automatically enabled when people first log in via 'https://gmail.google.com' instead of having to go into settings and enable it manually, Perry said.
"Just about everyone but Google simply does not want to spend the money to invest in the security of their users, and will continue to ignore this issue, just as they have for the past year," Perry wrote in an email.
The vulnerability affects people using unsecured wireless networks and would require the attacker to be using the same network at the same time. However, it could affect people on other types of networks if it were to be combined with other attacks, such as those taking advantage of a recently discovered DNS hijacking exploit that any web surfer could be exposed to, or more elaborate attacks involving modified DSL or cable modems, which were also discussed at Defcon, Perry said.
Perry has gone into more details about the problems and his plans on his blog.
