-
March 19th, 2007, 07:48 PM
#21
Junior Member
Exploit / webmail
Originally Posted by Aardpsymon
That is rather scary....
Agreed - it's full control over the account.
Originally Posted by nihil
Have cookies got anything to do with it?
Don't know but it works even on a logged-out account (i.e. any cookies presented would be expired so they shouldn't work).
Originally Posted by nihil
just what is getting exploited or circumvented?
View of any existing mail message and the capability to send new mail on web mail accounts.
Originally Posted by nihil
Does this only affect e-mail?
As far as I can tell.
Originally Posted by nihil
Given the number of security "wannabes" out there I find it very strange that something so fundamental has gone unnoticed for so long
Agreed.
-
March 22nd, 2007, 10:47 PM
#22
Junior Member
not mitm, not SSL problem, and not cookie replay......
so what is it then....not not not, but what? you are saying that you can walk into any coffee shop (unencrypted) and gain the ability to send and receive out of any web mail account....this is definitely someting new, if it's real.
"Program" name please?
-
March 22nd, 2007, 11:11 PM
#23
I still suspect cookies............. if they hold the password (and some do) that would explain it all?
The session would be expired, but the password would be the same?
-
March 24th, 2007, 12:27 AM
#24
Farmik0lot said you could do it with many top mail providers. I am confused here, since most of these are professionals. If 'any' is included in this, that counts gmail. Do all of these mail servers use stale cookies?
-
March 24th, 2007, 12:51 AM
#25
Is it just me, or has he yet to explain how he is capturing the traffic. As in 2 wireless clients connected to the same unsecured AP and he is capturing the traffic from an unsecured wireless ap.
-
March 24th, 2007, 01:43 AM
#26
Perhaps the coworker was showing off and bogusly captured his OWN information?
-
March 24th, 2007, 10:01 PM
#27
You can't replay SSL traffic without the private keys involved. End of story.
MITM attacks are possible over wireless. If the web applications digital certificate was signed by a known CA, then the MITM would have caused the browser to prompt the user to verify the cert. If they accepted, game over: the traffic is clear to the attacker. This is because the attacker would have replaced the public key with their own.
Ask your friend how many wireless interfaces they have in that laptop. Or, ask them what they did. You know what they say about assumptions.
-
March 25th, 2007, 07:01 PM
#28
I cant really remember what they said about assumptions....
It was something on the line of "assume"
You make a/an "something" out of u and me.
-
March 25th, 2007, 07:05 PM
#29
an "ass" out of "u" and "me"
and I'm still with d34dl0k1 on this one. ANY half decent authentication system would drop replayed traffic AS replayed traffic, IE - out of date and not a current session. Its not as if the same thing wasn't possible on wired networks for years without switches.
If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.
-
March 30th, 2007, 01:14 PM
#30
Junior Member
info...
Originally Posted by nihil
I still suspect cookies............. if they hold the password (and some do) that would explain it all?
The session would be expired, but the password would be the same?
Not sure, an expired cookie wouldn't work for top webmail providers, so it appears to be something else.
Originally Posted by net2infinity
Is it just me, or has he yet to explain how he is capturing the traffic. As in 2 wireless clients connected to the same unsecured AP and he is capturing the traffic from an unsecured wireless ap.
Capturing traffic with Kismet. There is no AP in the laptop, just a wireless card not acting as an AP. The machine that logs to the account is connecting to the legitimate AP.
Originally Posted by ngboot
Perhaps the coworker was showing off and bogusly captured his OWN information?
No, because I tried it myself independently.
Originally Posted by d3dl0k1
You can't replay SSL traffic without the private keys involved. End of story.
Ask your friend how many wireless interfaces they have in that laptop. Or, ask them what they did. You know what they say about assumptions.
One wireless card, no AP. The authentication is SSL encrypted.
Originally Posted by Aardpsymon
an "ass" out of "u" and "me"
and I'm still with d34dl0k1 on this one. ANY half decent authentication system would drop replayed traffic AS replayed traffic, IE - out of date and not a current session.
Major webmail providers presumably have a half decent authentication system.
Originally Posted by marsbarz
If you could tell me what "Windows program" was used to analyze the traffic and log you into the authenticating system it would help a lot....If the password or hash is not presented in the clear, then for well-known web mail systems it would be a big deal (and I believe impossible) to authenticate if provided with the traffic only.
Have a nice day.
Thanks for telling me to have a nice day. The reason that I posted the question in the first place is because I don't understand what is going on.
Similar Threads
-
By Nokia in forum The Security Tutorials Forum
Replies: 0
Last Post: October 23rd, 2006, 04:58 PM
-
By Tiger Shark in forum The Security Tutorials Forum
Replies: 13
Last Post: August 12th, 2004, 09:35 PM
-
By SDK in forum AntiOnline's General Chit Chat
Replies: 0
Last Post: May 12th, 2004, 04:02 PM
-
By mathgirl32 in forum IDS & Scanner Discussions
Replies: 10
Last Post: February 3rd, 2003, 07:20 PM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|