Googlemail, Outlook. com and e-voting 'pwned' on stage in crypto-dodge hack

Black Loath 2013 Security researchers say they have developed an interesting trick to take over Gmail and View. com email accounts - by shooting down victims' logout requests even over a supposedly encrypted relationship.

And their classic man-in-the-middle attack could be applied to compromise electronic ballot boxes to rig elections, we're told.

Ben Smyth and Alfredo Pironti of the French National Institute for Research in Computer Science and Control (INRIA) declared they found a way to exploit flaws in Google and Microsoft's web email services using an problem in the TLS (Transport Layer Security) technology, which encrypts and secures website connections.

Full details of the attack are yet to be widely disseminated - but it was outlined for the first time in a display at this year's Black Hat hacking convention in Todas las Vegas on Wednesday.

In short, we're told, by using a TLS truncation strike on a shared computer to dam victims' account logout requests so that they unknowingly remain hotmail login: when the request to sign out is delivered, the attacker injects an unencrypted TCP FIN information to close the connection. The server-side therefore doesn't have the request and is unaware of the irregular termination.

The pair discussed:

In essence, we obstruct encrypted messages that are sent over the network to de-synchronize authorisation: we force Gmail and hotmail login[Outlook. com] to display on your web browser the page that makes announcement which you have successfully signed-out, while making sure your browser preserves authorisation with Gmail and Hotmail [Outlook. com].

Given such an announcement, you should be certain that you are secure, in particular, a hacker should not be able to access your email, in case you [log out and] leave your computer unattended. Yet , we can violate this basic security premise and entry your Gmail and Hotmail [Outlook. com] accounts just by reloading the web page.

Typically the attack does not count on installing malware or similar shenanigans: the miscreant pulling off the secret must simply put herself involving the victim and the community. That could be achieved, for example, by setting up a naughty wi-fi hotspot, or plugging a hacker-controlled router or other little box between the PC and the system.

The researchers warned that shared machines – even un-compromised computers – are not able to guarantee secure access to systems operated by Helios (an electronic voting system), Microsoft (including Account, hotmail sign up, and MSN), nor Yahoo (including Gmail, YouTube, and Search).

"This blocking can be accomplished by a so-called 'man in the middle', " Pironti advised El Reg.

"Technically, whatever piece of hardware is relaying data between you and Google could determine to stop relaying at some point, and do the [logout] blocking.

"In practice, this is very easy to do: with wireless networks (e. h. developing a rogue access point) or with wired networks (e. g. by adding a router between your cable and the wall structure plug - alternatively this could be done with custom-built hardware, which could be very small). inch

Block and deal with: Several attacks might be possible because of this of the vulnerability, according to Pironti.

"In the context of voting, a single malicious vote station worker could do the attack, voting at his pleasure for any voter. He creates his man-in-the-middle, then waits for a designated victim to the voting booth. Typically the man-in-the-middle device blocks the kind of messages. Then the harmful worker enters the voting booth (e. g. with the excuse to check that the device is operational) and votes on the victim's behalf. "

Web mail attacks on shared personal computers in settings such as libraries are also possible. An attacker simply needs to access a computer after a mark incorrectly thinks she has signed out there.

Unbeknown to the customer, the hacker's hardware will have blocked the relevant messages, yet the consumer must be shown what appears to be a "you've signed out" webpage - the core factor of the con. Right after that, it's possible for an adversary to use the pc to access the wearer's email.

"We believe this [problem] is due to a poor understanding of the security assures that may be derived from TLS and the absence of robust web application design guidelines. In publishing our results, we hope to improve awareness of these issues before heightened exploits, dependent after our attack vector, are developed, " the researchers concluded.

The strike developed by INRIA is apparently possible because of a de-synchronisation between the user’s and server’s perspective of the application state: the user receives feedback that her sign-out request has been successfully executed, whereas, the server is ignorant of the user’s demand.

"It follows intuitively that our attack vector could be exploited in other client-server state transitions, inches Smyth and Pironti discussed.

Mitigating the attack could be performed by reliably informing the user of server-side express changes. "Unfortunately, the HTTP protocol is unsuited to this kind of notification", we're told, so the researchers advocate the use of technologies including the SPDY network protocol and AJAX (asynchronous JavaScript and XML, a web development framework).

The 2 researchers shared their conclusions with Google and Ms; the web advertising large acknowledged the discovery in its application security hall of fame.

Smyth and Pironti's presentation of their research was titled Truncating TLS connections to violate beliefs in web programs. The researchers were relatively capable to exploit the Helios electronic voting system to cast ballots on behalf of voters, take full control of Microsoft Survive accounts, and gain momentary access to Google company accounts.

Subtle reasons make Microsoft's webmail service more exposed than its Google equal, Pironti explained.

"Google happens to be less uncovered for two reasons, " Pironti told El Reg. "First, our attack uses de-synchronisation at the server based: it happens that Yahoo ensures synchronisation every 5 minutes, making our strike [only] work within this a few minutes windowpane. Second, Microsoft enables you to change your password without re-typing the old one, so even as we access the user account, we can change its password and get full control. "

Pironti said the research didn't check out other popular webmail systems, such as Yahoo! 's, so he can't say for sure whether they are vulnerable or not.

"We suspect a great many other services are broken, but we didn't look into details, " she said