Gmail Session Management Vulnerability (Mobile Browsers)
Mobile browsers and applications are gaining wide spread populrity with the evolution of iPhone, Android and other mobile platforms. Security has always played the catch-up game with evolution of technology.
It was recently observed that gmail sessions opened using mobile browsers such as safari and Android webkit fails to invalidate the session id when a user logs outs. When a user logs out of gmail, the user is redirected to the login page and asked to re-enter the credentials. Though the end user sees a login page and cannot access inbox unless signed in again, the server session associated with the users login remains active at the server side and becomes an orphaned session. This flaw can be leveraged by an attacker to compromise a victims gmail account.
When a user logs out, gmail invalidates the cookies and session id's associated with that login by initiating a cookie expiration at client side. However, this does not invalidate the actual session existing at the server side. An attacker with the ability to monitor network traffic and perform ssl dissection can leverage this vector to compromise a victims account. The threat model associated with this attack requires both attacker and user intervention to facilitate this session hijacking and hence often downplayed by security experts and analysts. However, the increased mobility and availability of mobile platforms, which is often not considered, increases the prevelance and effectiveness of this attack. An attacker who captures an end user cookie of the following format can successfully hijack a victims attack:
In simple words, the probability of success for an attacker is greatly increased by the number of mobile users accessing emails from mobile devices. It is becoming increasingly popular for users connected to starbucks and airport public wifi networks to access emails on mobile devices as compared to laptops. Hence an attacker connected to public wifi network, with the ability to perform arp poisoning has an increased chance of compromising gmail users on the network. This attack requires the end user to accept server certificate validation error, when a user accesses the website, while connected to a compromised network. Unless users are aware of SSL and technical implications of certificate error/revocation, majority of the end users fall prey to this attack. Modified tools like firesheep, wpa hole 196 & tools like ettercap makes it easier for low skilled attackers to leverage and weaponize the vulnerability.
Mobile applications often rely on persistent/sticky sessions to ensure seamless sessions that do not require relogin every time a user returns back to the application. Large and distributed web applications often find it infeasible, w.r.t performance, to invalidate server side sessions and compromises on end user security. From an end user perspective, the following steps should be taken to ensure that one doesnt fall prey to this attack:
1) Do not access any website or application if the browser gives server certificate validation error.
2) Do not turn off fraud alert warnings on mobile browsers such as Safari on IOS platform. This setting can be found under General --> Safari.
PS: Gmail mobile application on Android platform has not been tested by the author and hence cannot be generalized at the moment. This vulnerability was confirmed on mobile browsers on both Android and IOS platforms. Also, this vulnerability is not present on gmail sessions running on ordinary non-mobile browsers.
It was recently observed that gmail sessions opened using mobile browsers such as safari and Android webkit fails to invalidate the session id when a user logs outs. When a user logs out of gmail, the user is redirected to the login page and asked to re-enter the credentials. Though the end user sees a login page and cannot access inbox unless signed in again, the server session associated with the users login remains active at the server side and becomes an orphaned session. This flaw can be leveraged by an attacker to compromise a victims gmail account.
When a user logs out, gmail invalidates the cookies and session id's associated with that login by initiating a cookie expiration at client side. However, this does not invalidate the actual session existing at the server side. An attacker with the ability to monitor network traffic and perform ssl dissection can leverage this vector to compromise a victims account. The threat model associated with this attack requires both attacker and user intervention to facilitate this session hijacking and hence often downplayed by security experts and analysts. However, the increased mobility and availability of mobile platforms, which is often not considered, increases the prevelance and effectiveness of this attack. An attacker who captures an end user cookie of the following format can successfully hijack a victims attack:
Cookie: GX=DASSGSHSJDJDJDH......-xxxxxxxxxxxxsxxxxx-xxxxxxxxxxxx;
In simple words, the probability of success for an attacker is greatly increased by the number of mobile users accessing emails from mobile devices. It is becoming increasingly popular for users connected to starbucks and airport public wifi networks to access emails on mobile devices as compared to laptops. Hence an attacker connected to public wifi network, with the ability to perform arp poisoning has an increased chance of compromising gmail users on the network. This attack requires the end user to accept server certificate validation error, when a user accesses the website, while connected to a compromised network. Unless users are aware of SSL and technical implications of certificate error/revocation, majority of the end users fall prey to this attack. Modified tools like firesheep, wpa hole 196 & tools like ettercap makes it easier for low skilled attackers to leverage and weaponize the vulnerability.
Mobile applications often rely on persistent/sticky sessions to ensure seamless sessions that do not require relogin every time a user returns back to the application. Large and distributed web applications often find it infeasible, w.r.t performance, to invalidate server side sessions and compromises on end user security. From an end user perspective, the following steps should be taken to ensure that one doesnt fall prey to this attack:
1) Do not access any website or application if the browser gives server certificate validation error.
2) Do not turn off fraud alert warnings on mobile browsers such as Safari on IOS platform. This setting can be found under General --> Safari.
PS: Gmail mobile application on Android platform has not been tested by the author and hence cannot be generalized at the moment. This vulnerability was confirmed on mobile browsers on both Android and IOS platforms. Also, this vulnerability is not present on gmail sessions running on ordinary non-mobile browsers.