New Tool For Attack On Gmail, Facebook
Hi All !
I was browsing the net and stumbled across this article on ZDNet. Researchers have come across an open source tool that is capable of launching automated man-in-middle attacks against popular sites such as Gmail and Facebook. This tool, Middler, is designed to target users who access services via public networks in hotels, coffee shops and aeroplanes. Besides launching man-in-the-middle attacks, in which communications are intercepted so the attacker can pass his own data between the website and the client device, the tool can also compromise computers and even iPhones via their software-update mechanisms.
The tool is intended to demonstrate a particular weakness found in many popular online applications — the use of clear-text HTTP transmissions for much of the user session.
While sites such as Gmail use encrypted HTTPS sessions for the login process, they switch back to clear-text HTTP for the rest of the session.
The tool is able to hijack sessions for web applications such as Gmail, LiveJournal and LinkedIn without user interaction, Beale, who is one of the researcher for this tool, said. After hijacking a Gmail user session, the attacker can read the user’s email, harvest the address book, send emails and prevent the user from logging out, among other things, he claimed. The LinkedIn exploit allows an attacker to read the user’s full contact information and that of others on the user’s personal network.
The Middler is written in Python and uses a plug-in framework, intended to allow other developers to extend it or to integrate it into other security software.
You could visit Middler’s website here, if you would like to know more about it.
Enjoy !
Similar Posts you might be interested in:
- None Found
Application Security | Ne0 | October 8, 2008
Nice one Ne0..This particular type of attack is called Surf-Jacking. To protect from this attack , always use HTTPS. In case of Gmail there is a setting which says always use HTTPS. Always select that.
You can find a video demonstration of that attack Here
Tool for surfjacking can be used here : http://surfjack.googlecode.com/files/surfjack-0.2b.zip
Enjoy!!!
Thanks w0lf… And nice informative suggestions too… Link is quite informative….