Gmail potential vulnerability
What if you were told that it is possible to login to your Gmail account with an alternate set of credentials besides your usual login/password, and these credentials would never change and work all of the time? Well, I just told you (and will tell you exactly how to do it yourself). I dug into the vulnerability after reading this story and was able to reproduce it.
What this really means is that if someone manages to get your Session Cookie information for your Gmail account, they will be able to read your mail no matter how many times you change your password. Once they get this, your acount will be compromised forever! (although I am sure Gmail is already working on a fix).
Here’s how it works: A Gmail session starts when you log in and ends when you log out or close the browser window. During the entire session, Gmail uses a Session Cookie to keep track of (and identify) the user. The Session Cookie is stored in memory (as opposed to a conventional Persistent Cookie which is stored on disk). Gmail stores multiple values in the Session Cookie but there are two in particular that are relevant to this vulnerability: SID and GV.
Step 1: Get values for SID and GV Session Cookies
Getting these cookies is trivial. Log in to your Gmail account and replace the URL in the address bar with:
This will replace the page with the Session Cookie. The text is formatted as _name=value;_ You should see something like the following (this is the actual output for email@example.com which you will end up logging in to as part of this example):
S=gmail=I6FvRVVeuxw:gmproxy=FbDcrmz48tY; TZ=420; PREF=ID=4ffb9f5873c54c6d:TM=1099097725:LM=1099097725:GM=1:S=e1c5TQpq4kqt6lO3; SID=Aa47jPohYfLVy1oq6JGxWrDnOhqNsU6ip1IUcLyicx8En8bLYb-3j7MyzMBeprkFkbK1MJyFkGwjfFnv1HV4p6M=; GV=ffed4cbbce-8b60cc9a1ffd6cdf3c71c62f85943a3f; GMAIL_AT=909a71ce638b31dd-ffed4cbbd0
The value for SID is:
and the value for GV is:
Step 2: Replace SID and GV in your own Gmail account
These values are all that is needed to log in to the Gmail account. To log in you simply need to replace your Session Cookie’s SID and GV values with these values. Assuming you are still logged in to your Gmail account, enter the following code in the address bar (replacing SID and GV the target account. This example sticks to firstname.lastname@example.org):
Once the SID values have been overwritten (technically there are two copies and the latter one which you entered is actually used) you can proceed to the gmail account by entering the following URLin the address bar:
…and you should be logged into the email account for email@example.com. Try changing the password and then repeat Step 2. You will still be able to login to firstname.lastname@example.org since the password does not affect this vulnerability.
This does not neccessarily mean that “Cookies are bad” and Gmail should stop using cookies. This vulnerability cannot be exploited in the open (meaning, you can’t compromise random accounts based on this vulnerability). The only security flaw is that these Session Cookies are valid for the lifetime of the account, so once you get this information the account is compromised forever no matter what the owner of the account does. In practise, the Session Cookie should be destroyed when the user logs out, or expired after certain amount of time, and a new and unique SID and GV should be issued each time a user logs in.
Getting the Session Cookies in itself requires exploiting an XSS vulnerability in Gmail. At the moment I am not aware of any XSS vulnerabilities in Gmail but if someone ever happens to get access to your Gmail account even once (for example you forget to log out and your browser window is left open), they can get access to it all the time. If an XSS vulnerability ever surfaces in Gmail — which is quite likely with this new webmail service — then your account will be compomised completely.
UPDATE (Apr 30, 2005): This vulnerability was patched within a few hours of discovery and no longer works.