Evsion Lab

Nov 24

Gmail Hack: A Route to Domain Theft?

Posted in: 1

Google’s Gmail service has lots of fans, but it may also be the cause of a number of domain name thefts in recent weeks.

Attacker Creates a Gmail Filter

According to a proof of concept by Geek Condition, there is a security flaw in Gmail that allows an attacker to forward GoDaddy account reset information to the offending party unbeknownst by the victim. This is done by creating a filter that forwards GoDaddy’s “change of password” mail to the attacker and deletes it from your inbox.

Such acts have been documented three times already this month.

How Your Account is Compromised

But surely in order to set up a Gmail filter and redirect your mail, the attacker needs your Gmail password? Not so, it would seem.

When setting up a filter for your mail, a request is sent to Google containing two key variables: a Unique Account Identifier, and a Session Authorization Key. The Unique Account Identifier never changes, and while the author of the proof declines to explain how it is obtained, he claims the answer can be found via a web search.

Meanwhile, the Session Authorization Key is found by directing a Gmail user to a page containing a malicious script: this grabs the cookie “GMAIL_AT” which includes the Session Authorization key. Once obtained, the required variables are entered into a hidden iframe to create a filter on your account. And…voila…your password reset mails are now being sent elsewhere.

The Fix

For Gmail users, Geek Condition suggests checking your Gmail account for filters you did not create, and (for Firefox users only) installing the NoScript addon.

The fix for Gmail? They might want to make the Session Authorization Key expire after every request, rather than every session.