Google, WTF?

10:30 pm General

After some investigation I found the most probable reason of the break-in into my gmail account, which caused the spam message to be broadcasted to my entire gmail address book.

GMail performs login using https. Then (bah!) it redirects to http! All further interactions are done in insecure mode – unless the original address you typed in your browser started with https (or you change it manually and explicitly in the address line). Awesome, isn’t it? For details, see for example here.

So, I guess when I read my gmail using some occational free hotspot in the city (thanks to my n800), there was some “man in the middle” attack. It is not a big deal for minimally educated script kiddie – once http stream is not encoded and all cookies are there…

I definitely blame myself for being so lame and not knowing that bad fact about GMail (and not being paranoid enough to check the security of the connection when I have to). But I am deeply disappointed that GMail is so unsecure by default – and that information is not printed with big red letters on top of the page.

I guess there might be some people around who are still not aware of that shameful detail about GMail – so I am warning them.

22 Responses

  1. troll Says:

    If you use correct url when connecting then it stays as https. Ask Google for more details :-)

  2. Sergey Udaltsov Says:

    troll: Thanks I know. NOW I know:) But usually I just did “gmail.com” – and that was it. Since n800 does not have real keyboard – every character is expensive:)

  3. Sergey Udaltsov Says:

    … and yes it was http:// in the bookmark. Because I did not know and Google did not warn me.

  4. nick podges Says:

    I’m not sure that’s a fair complaint. It makes more sense to use http:// by default, since it’s faster, and most of the time you trust your internet connection.

    Note that yahoo also handles this the exact same way.

    Still, it stinks that you were taken advantage of..

    regards,

    Nick

  5. Steffl Says:

    …but your browser should usually warn you in such a case. At least if you had https first.

  6. Matthew Says:

    Gmail + IMAP(TLS/SSL) is your friend.

  7. EbilPhish Says:

    You should look at using a real email client with IMAP. Its completely encrypted and being IMAP it remembers things like what folders you put messages in, so you can setup a filter in gmail to dump things in their respective folders and then see that from any email client.

    You can even make sure drafts are stored in the gmail drafts folder rather than locally and trash archives things instead of permanently deleting it. Although it does take a few tweaks under Thunderbird.

  8. Mukund Says:

    If you use https://mail.google.com/ to visit Gmail initially, it stays in HTTPS mode after the authentication is complete.

  9. Sergey Udaltsov Says:

    nick: the “man in the middle” attack can be performed on any host used for routing between me and google. It does not make sense to trust your connection wholeheartedly even in wired case (unless your route to google has length 1). I realize that google and yahoo are saving their resources – but they do it at my expense.

    Steffl: Usually people disable these warnings immediately. They are too annoying. So did I :)

    Matthew, EbilPhish: Yes but many IMAP clients have issues with huge “All Mail” folder. And BTW Google added IMAP just quite recently – while the issue I am talking about is ages old.

    Mukund: Yes I know it. NOW:)

  10. Daniel Says:

    I suspect that gmail isn’t the only Google service which suffers from this problem.

    If you login into another Google service (or else open the service into another tab while being already loged in) the cookie will be exposed in clear and can be used to access other Google services (including Gmail). Remember that some Google services such as Google search cannot be acessed with https.

    The cookie also seems to never expire unless you logout. This effictively means that a stolen cookie can be used perpetually :S

  11. Dave Says:

    The Firefox ‘Better Gmail’ extension has an option to always use ‘https’, which is useful :)

  12. Sergey Udaltsov Says:

    Daniel: most probably you’re right. And it does not make Google a nice guy. I wonder if the guys who stolen my cookie are going to use it again :(

    Dave: unfortunately that extension is not available for n800′s browser yet.

  13. Dan Arkway Says:

    1) Get http://www.customizegoogle.com/, put all google stuff to https. 2) Use the secure IMAP stuff with SMTP/TLS with a good tool and do not use a web browser – they are not secure. 3) Try to get rid of gmail :) It’s not good.

  14. Sergey Udaltsov Says:

    Dan: 1. Unfortunately that extension is not available @ Nokia N800 2. Yes I will probably 3. Except for security reasons – why not? The usability is very high IMHO

  15. Dan Arkway Says:

    Hi Sergey,
    I thought there is a mini version FF out there for the N800. But some JS-Version of s/http/https should work on opera, too. Already checked: http://smir.de/cg/? Which browser do you use?
    2. Checked mutt?
    3. http://en.wikipedia.org/wiki/Privacy
    :)
    Good luck, Dan

  16. Dan Arkway Says:

    Tried:
    http://smir.de/cg/
    ? – Dan

  17. Ruairi Says:

    Hi,

    Boards.ie users have seen the exact same email sent from Yahoo as Gmail, again using the users’ credentials: passwords are certainly being stolen, but may not be a hot spot – as it’s unlikely both they and you have visited the same sites.

    Yahoo gives the originating IP, and it’s China, so the spammer is logging in remotely to send the mail and it’s not a virus.

    Is there any chance it’s XSS, or a problem with Flash?

  18. Sergey Udaltsov Says:

    Dan: the browser is mozilla-based. But extensions require special packaging.

  19. Martin Hjort Eriksen Says:

    If I remember correctly, after looking at the source, they have their own encryption implementation in Javascript. Therefore they are not using HTTPS.

  20. Justin Mason Says:

    Google had a cross-site referrer hole which was actively exploited in at least 1 case last month: http://davidairey.co.uk/google-gmail-security-hijack/

    there seems to be a mini-epidemic of webmail account theft going on at the moment. I’m writing about another one at: http://taint.org/2007/12/21/171309a.html , and several people have pointed to other cases in the comments (yours being one).

    As a matter of interest, what was the spam sent from your account?

  21. Sergey Udaltsov Says:

    Justin: shame on Google indeed. My spam had first lines:

    We are a wholesaler which deal with electronic products, such as: Mobile,TV,PC,DV,DC,games,MP3 Even motorcycles and musical instruments. Delivering our items by EMS to our customers around the world, The link pointed to the site www dot ems dot com dot cn

  22. adrin Says:

    Bytheway, yahoo doesn’t support secure connection as easy an free as google do.