

How you can get hacked if you are using iPad/Safari/gmail - bevenky
http://blog.secpanel.com/2012/07/30/how-you-can-get-hacked-if-you-are-using-ipadsafarigmail/

======
ef4
This is completely wrong. Examine your GMail cookies if you don't believe me.

The ones that grant access to your account are named "S" and "GX". You can
prove this by a process of elimination. Delete a cookie and see if you get
logged out.

They're set on "mail.google.com", not "google.com", so they don't get sent
when you search. Furthermore, they're marked "secure" so they only get sent
over HTTPS.

------
eridius
As long as gmail uses Secure cookies, then this article is completely wrong. I
just checked my own cookie storage and about half of the cookies for
mail.google.com are marked as Secure, but I don't know which ones are required
to identify your session.

~~~
mgurlitz
It's easy to check -- delete all secure cookies and see if you stay logged in.
Maybe Google is doing something that keeps MobileSafari from reading the
secure attribute, since I've never noticed this in my tests on iOS.

------
DrewHintz
Hi Rudhir, Drew from the Google Security team here. Actually, the
authentication cookies that are set on mail.google.com aren't sent when you
visit google.com, so the scenario you described wouldn't work. Those secure
cookies are only sent over SSL. That's good news for the people in your
scenario!

------
alagu
I guess all this article is trying to say is to use <https://google.com/> in
iPad. Is there anything else I'm missing here?

~~~
rudhir-secpanel
The google search tab on the right top in Safari/iPad is what a user tends to
search in, instead of opening up a new browser tab. This opens up
<http://google.com>, which is the issue.

~~~
Splines
Is that the workaround? After viewing google on https, close the tab and start
a new one for searching?

Or should I always avoid <http://google.com> while logged into a google
property on untrusted networks?

------
philiphodgen
I wonder (he said, sitting in the Minneapolis airport with an iPhone in hand)
whether Safari exhibits the same flaw on an iPhone?

------
ttan62
Tried a search in Chrome for iOS on my iPhone and noticed the URL began with
http, does this mean Chrome is vulnerable as well?

------
munin
a better option: use the iOS mail app (with imaps), and use application-
specific passwords. don't log in to your app account from safari. you then get
two benefits:

1\. session cookie hijacking not possible

2\. the iOS mail app supports encrypted email

~~~
MiguelHudnandez
I do this, but I still find that I occasionally must log in to the web
interface to do certain things, like check my wife's calendar. I just try to
remember to log out again.

Another temporary workaround is to set the default search to Yahoo or Bing, to
help train you to use an SSL-enabled bookmark. That is, unless you happen to
be logged into either of those services.

------
Sidnicious
Can the session information sent to non-secure Google sites be used on Gmail?

~~~
rudhir-secpanel
Yes. When one is logged in as a gmail user, any google search is done as that
user. Therefore the requests will carry session information just as if one
were using gmail with http.

~~~
ef4
No, this is wrong.

The authentication cookies for GMail are named "S" and "GX". They're both set
only on "mail.google.com", and they both have the secure flag so they're only
transmitted over SSL.

There are certainly other Google cookies that let them track your identity
that will get sent when you search. But those cookies are not sufficient to
get access to GMail.

------
catch23
does safari leak ssl-only cookies?

