Gmail on iphone..notsosecure

October 14, 2008

burp logs showing http request

burp logs showing http request

If you are concerned about the security of your emails, accessing Gmail from a mobile device may not be a great idea.

1. A few weeks ago, google introduced a new feature in GMAIL, through which you can force the gmail session to not use HTTP at all, and only talk over HTTPS. This unfortunately does not apply to google mobile(http://mobile.google.com/) and even though you set your preferences to only use HTTPS, gmail accessed via mobile devices still make requests over HTTP. The HTTP request takes place in the background. The clear text response contains all the session cookies and also a URL over HTTPS.

2. Further to make matter worse, this URL returned over port 80, contains session-id in URL and is sufficient to access email(attacker does not need your session cookie). Thus, if your mobile device is going through a proxy server, and an attacker manages to access the logs of this proxy server, he will have access to this URL containing session id, and thus its slightly more concerning. Of course, once you log out, this URL will be no longer valid and hence the attack has a time limitation.

Update: Google has fixed the second issue and don’t appear to be too keen to fix the first one.

Comments

1 Comment

  • sid says:

    Gmail’s response:-

    “Thanks for your report on the GMail session-id-in-URL leak – nicely spotted! This affects a subset of people, so I’m glad you pointed it out. As you noted in your blog post, we’ve made sure this no longer appears in the URL. That’s issue #2 in your blog post. Unlike issue #2, issue #1 does not relate to any mail.google.com data.”

    My response:-

    issue1:- My Mistake, i did not see the hostname correctly. Yes, it may not have a direct impact on mail.google.com but an attacker could change the http response and thus present a victim with a login page which will submit the credentials to an attacker controlled website. This attack will be quite stealth and will fail the existence of https as the URL will say http://www.google.com. Further, i haven’t looked into what an attacker could do with cookies obtained via the http request. Not all cookies are marked secure, and i am not sure if the cookies not marked as secure can be used to obtain a secure cookie too or if they can used in google accounts etc. All in all, it may be worth fixing it.:)

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback