Friday, August 15, 2008

Google vs. SideJacking, round 7

Google recently made a change that allowed you to configure your Gmail account to force SSL. Last I looked at Gmail, it would still leak cookies even if you thought you were using SSL. This latest change from Google appears to have fixed this.

If you enable this in your account, Gmail will not allow you to use non-SSL. If you attempt to log into "", it will switch to "".

Moreover, the session cookie "GX" is set with the "secure" flag. That means you won't disclose if even if you try normal HTTP. I have not yet been able to grab the cookie and hijack an SSL Gmail session yet. I can still hijack a lot of other Google stuff. For example, I'm posting by hijacking my own Blogger account.

Background Info

The following is the cookie specification for cookies sent by the server:

Set-Cookie: =[; =]
[; expires=][; domain=]
[; path=][; secure][; HttpOnly]

When "HttpOnly" is set, this means that cookies can only be set when within HTTP headers but not with JavaScript, thus preventing some cross-site-scripting attacks. When "secure" is set, this means the cookie is set with HTTPS but not HTTP.

When looking at the Gmail cookies, only the "GX" cookie is set with "secure" flag, all the rest can be sent via HTTP. However, the "GX" cookie is the important one that allows me to hijack the session, so that's probably appropriate.

No comments: