Hamster Plus Hotspot Equals Web 2.0 Meltdown NOT
Robert Graham (CEO Errata Security) gave his Web 2.0 hijacking presentation to a packed audience at Black Hat 2007 today. The audience erupted with applause and laughter when Graham used his tools to hijack someone's Gmail account during an unscripted demo. The victim in this case was using a typical unprotected Wi-Fi Hotspot and his Gmail account just popped on the large projection screen for 500 or so audience members to see. Of course had the poor chap read my blog about email security last week he might have avoided this embarrassment. But for the vast majority of people using Gmail or any other browser or "Web 2.0â€³ application, they're all just a bunch of sheep waiting to be jacked by Graham's latest exploit. Hamster plus Hotspot equals Web 2.0 meltdown!
I have nothing against Robert, he is a good guy, but I have to say that his research has nothing to do with Web2.0. Man-in-the-middle attacks have been known for ages and being able to sniff the session identifier from a HTTP connection over unprotected/unencrypted channel is not new. Of course it works. I mean, of course it works. And yes, do not use Telnet because someone will be able to capture your credentials. Of course it works! It is unencrypted channel, therefore it means that everyone will be able to see the traffic.
Cookies are standard mechanism to imitate statefulness for otherwise stateless HTTP connections. If someone sniffs them from the air they will be able to impersonate the connection they support. This is it! Finito! And, btw, you don't need any special tools to do all that. All you need is bash with some very basic utils you can find on any standard Unix/Linux distribution. Here is an example:
- Start Kismet
- Read the Kismet dump file
- Extract Strings
- Match and extract cookies
> kismet& > tail -f kismet.dump | string | grep -iE 'Set-cookie:|Cookie:'
Here you go! So, I don't really understand what is the fuss all about. Again, I repeat, this is not Web2.0 problem and I repeat this is not Web2.0 problem and I repeat.
Web 8.0 Mashup Hacking with Yahoo Tubes. WTF?well, yes. Yahoo Pipes is a Web2.0 technology so I don't see any problems with using Web2.0 terminology. Moreover, the pipes interface proves one thing: I can spider Web Applications in search for vulnerabilities circumventing to an extend the same origin policies. That wasn't possible before. There is more to that but you will hear about it soon. So yes, it is new and yes it is Web2.0. So, what exactly is your point, Galeazzi? The technical stuff are still on the blog but I have to agree with you that there was sort of a dry period lately. The reason for this is mainly because I was involved into two huge projects, the XSS Book and the Google Hacking for Penteasters vol2 book. However, there is a lot in the background going on that you cannot see. :) So, stay tuned.
everything new is well forgotten old thing.