The Geek Condition

Important -- How to Setup SSL on Gmail

The old Gmail Hack -- fixed

Is it possible for someone to create a malicious filter without having access to your Gmail username and password? No, however, they can force you to create the filter without your knowledge.

The blogosphere is buzzing about a Gmail Security Flaw that has caused some people to lose their domain names registered through GoDaddy.

To understand how this exploit works let me first explain how I would carry it out (if I were a blackhat). Then we can move on and explain the exploit in detail. Let’s use a current example and assume that I was trying to steal MakeUseOf.com and I already knew it was registered by GoDaddy. Let’s also assume that I knew the owner’s Gmail address. I would want to create a filter like the one in the image above, where all email sent from GoDaddy Support was automatically deleted and forwarded to my email address.

Once the filter was setup I would simply head on over to GoDaddy’s Customer Number Retrieval page and enter a little info.

Once I press continue an email is sent to the domain owner’s email address but since I’ve setup a filter he never sees it in his inbox. Instead, it is sent to the trash and forwarded to my email address. With the GoDaddy Account Number I can now proceed to the GoDaddy Password Retrieval page.

Once again I simply press continue and an email containing an Authorization Code is sent the the owner’s email address but the filter deletes it immediately and forwards it on to me. I now have the ability to take over this person’s GoDaddy account and transfer MakeUseOf.com or any domain within that account to my registrar.

Exploit in Detail

So how do we go about creating this filter in the first place? When you create a filter in your Gmail account, a request is sent to Google’s servers to be processed. The request is made in the form of a url with many variables. For security reasons, your browser doesn’t display all the variables contained within the url. Using FireFox and a plugin called Live HTTP Headers, you can see exactly what variables are sent from your browser to Google’s servers. Here is an example of a request url sent to Google to create a filter exactly like the one in the image above. I’ve broken down the url by variable so it’s easier to read: http://mail.google.com/mail/ ?ui=2 &ik=ad7df7dc23 *Unique Account Identifier* &at=xn3j35svndkg48yp2qgmpt99ivcqdc *Session Authorization Key* &view=up &act=cf &rt=h &zx=pjo6fg-k2ljzh&search=cf &cf1_from=support%40godaddy.com &cf2_emc=true&cf2_email=hacker%40hacker.com &cf2_tr=true

Through a process of elimination you can determine the role of each variable. I have highlighted the two most important variables, ik & at. The ik variable is the equivalent of a username, each account has one and it never changes. Obtaining this variable is tricky but possible. I’m not going to tell you how to do it, if you search hard enough online you’ll find out how.

Obtaining the at variable on the other hand can be done by tricking a user into visiting a page that contains malicious code that subsequently steals a cookie from the user called GMAIL_AT which is the same as the at variable, just named differently. Once the cookie is stolen the malicious code creates a hidden iframe with a url containing the variables that authorize Gmail to create a filter for your account.

What Google can do to prevent this attack from resurfacing?

Instead of having the at variable expire after each session, they should have the at variable expire after each request.

What you should do if you have a Gmail Account?

Check your filters and make sure that nothing seems out of the ordinary. If you’re using Firefox, you can download an extension called NoScript which helps to prevent you from becoming a victim of one of these attacks. Overall, though, be cautious.

Why am I sharing this information with you?

Well… Google has a way of fixing credible threats right away AND unless you’re extremely familiar with manipulating the purpose of software, it’s going to be difficult.