Errata Security's Robert Graham showed how easy it is to grab tokens from Web traffic sent in the clear over Wi-Fi to hijack a session in progress: Almost every site that offers account logins uses a token stored in a cookie or appended to every link on a page (Amazon's original, pre-cookie approach) that serves as proof the user logged in successfully recently. Often, tokens time out forcing you to log in again to get a new one. The tokens are sent in the clear, and if you know the browser cookie name for the token, you can grab it over an open Wi-Fi connection at a hotspot.
Graham demonstrated automated tools to accomplish what he's calling sidejacking at the Black Hat security conference. The Ferret and Hamster programs work together to grab and sidejack a connection. It's a rather neat idea; it was clear to many that these tokens were a risk, but it raises the risk profile when it's demonstrated how easy it is to turn that into something practical. Graham noted, the BBC reports, that many appropriately designed sites require you to re-enter your password to perform account changes, and this weakness wouldn't affect that level of security.
The point of this kind of sidejacking would be to create an easy process for a cracker at popular hotspots to insert malicious code into MySpace or other social media sites. It's pretty clear that you could automate a tool to scan for social logins, grab the token, make the connection to retrieve and post a revised page with a payload--all of which could happen in seconds.
There are three solutions to this problem:
- Only use Web sites that employ SSL across their entire session. SSL imposes a slight yearly cost for certificates for the site's operator, and computational cost for the encryption overhead in managing browser interaction. But it's possible and worth it. There's no good reason except adding a few percentage points to your server budget to avoid SSL for everything.
- Use a VPN (virtual private network) connection, which opaques everything entering and leaving your computer from sniffing. Plenty of rent-a-VPN services exist like JiWire's HotSpot Helper, AnchorFree's free Hotspot Shield, WiTopia's personalVPN, PublicVPN.com's eponymous service, and HotSpotVPN's multiple offerings.
- Browser and server makers could agree to develop a new protocol that would bind local network and computer information into a cryptographic hash that would vary on each transmission. There may be such an effort in progress. It's a compromise between SSL (and would require an SSL negotiation at the start) and clear text, but imposes a lower computational load on both ends.
Graham's business partner David Maynor gets a booby prize: The Pwnie Awards are a self-organized set of security raspberries presented at Black Hat but with no connection to the event. The judges, all security researchers, gave David Maynor a Pwnie for the Most Overhyped Bug, with a description of the events last year in which Maynor and his colleague Jon Ellch appeared to say and then deny that they had found exploitable vectors in Apple's native wireless drivers.
While Maynor noted in February that he had actually found such vulnerabilities and reported them to Apple, he said he would shortly release the code that he used, in order to show that the potential was there before Apple released patches, and that the patches corresponded to what he and Ellch found. Maynor has never released this code. I pinged him recently to ask if he was now ever planning to; no response.
The Pwnie judges note in a rather fair way, especially considering some of those judges' general attitudes towards Apple and its security responses, "In the end, the only public information about Maynor's Wi-Fi vulnerabilities are hype, denial, a media frenzy, and a patch that may or may not have been based on Maynor's findings."
And it gets more interesting: Graham praises Apple's iPhone patches in advance of Black Hat: Back to Graham. Graham praises Apple for its rapid response to a series of bugs found in the iPhone that had already been demonstrated to show exploits. In the cell world, Graham writes, "Apple [h]as set a record for responding to security problems quickly."