Clear text email unsecurity (+ PoC)

There are many people who use public available email systems like Yahoo mail, Hotmail, Gmail (HTTP). In this post you will see how easy it is to gain access to someone’s email session by exploiting the clear-text HTTP protocol. You can also find a tool I wrote – YM_hijack – which is a proof of concept of the theory described.

A little bit of theory

Web servers can identify a client through a piece of data that it sends called cookie. After the client authenticates itself to the server (by username and password) , the server assignes unique cookies to that client. When the client makes a request to the server using those cookies, the server knows that he is who he pretends to be and allows him to access personal data.

Most web-based email systems use the mechanism described above and most of them do not encrypt their traffic. As you know, HTTP is a clear text protocol and  anything sent in the network using HTTP can be sniffed and interpreted.

So, in a LAN environment, by using a sniffer and a man-in-the-middle tool you can get the cookies used for session identification and use them in your own browser to impersonate the real cookie owner. I think the image below clarifies the scenario.

Proof of concept – the automatic way

YM_hijack is a tool that automates the process described in the picture above. It must be run on the “Man in the Middle” host (see the picture). It does not have any MITM (man in the middle) capabilities so, in order to do that, you must use another tool like Cain or Ettercap or arpspoof or macof.

Prerequisites (for YM_hijack.exe):  Windows XP, Mozilla Firefox (2 or above)

Prerequisites (for  Windows XP, Mozilla Firefox (2 or above), Python, Pcapy, Impacket

How does it work?

  • Make yourself Man-in-the-middle
  • Start YM_hijack.exe (or the python version) which does the following:
    • Sniff packets from the network destined for tcp port 80
    • Extract HTTP payload and search for Yahoo mail specific cookies (Y, B, T)
    • Create a new Firefox profile named after the IP address of the originator
    • Create the cookies.txt file in the newly created profile’s folder
    • Start a new instance of Firefox with the new profile
    • Enter directly into the Yahoo mail session of the ‘poor guy’

You can find more details by studying the source code (for python speakers).

The solutions:

  • use HTTPS during the entire session (Gmail has an option to do that)
  • encrypt your email content using PGP or a similar tool


Think twice before using/choosing the email, especially with confidential information!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: