12
2
I am curious whether it is possible for the other programs on my Windows 7 to access my Gmail, given I have already logged in my Google Account in Chrome (stable).
If no, by what and how are they prevented from the accessibility?
The bounty is for todda.speot.is.
If you have any good answer, I would +1 at least. XD
15
Presumably, yes. If you read the comments here they imply that Chrome does not encrypt cookies and you can simply copy your user profile to another PC and Chrome will start using those cookies.
Substitute "you can simply copy your user profile to another PC" with "an attack can copy your user profile to their PC"
Or, a local application could make a copy of it. This thread has a Python script for exporting your Chrome cookies.
Edit:
I can't tell if surfasb is trolling or just doesn't understand how HTTP works. Unencrypted cookies are the attack vector Firesheep uses. Whether it gets it off the wire or off the disk is unimportant. Once you have the cookie, you're in.
Here's a small example to "trick" Google into thinking that netcat is Chrome. Note that Google doesn't care what my browser is, just that I have the cookies Google gave me that identifies me to Google.
request_nocookie.txt:
GET http://www.google.com.au/ HTTP/1.1
Host: www.google.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
request_cookie.txt is the same as the above, but with my PREF, SID, HSISD, NID cookies for .google.com. I'm not going to show you them, because they're mine :)
These two commands send the requests to Google and then save the response.
type request_nocookie.txt | nc www.google.com 80 > response_nocookie.txt
type request_cookie.txt | nc www.google.com 80 > response_cookie.txt
Now that we have the responses...
find "Todd" < response_nocookie.txt > NUL
echo %ERRORLEVEL%
1
A non-zero error level is failure. My name doesn't appear in the response, because without the cookies Google doesn't know about me.
What about when we have the cookie?
find "Todd" < response_cookie.txt > NUL
echo %ERRORLEVEL%
0
A zero error level is success - we've found my name in the response! It's actually there a few times, because the toolbar up the top has a bunch of stuff relating to my Google Plus account.
I'll leave this as an exercise to the reader: if you really want to you can let yourself in to a Google Plus account with some slightly better tools. Google Plus requires SSL (which doesn't make it any more secure to a user taking the cookies off the disk, but it does stop Firesheep).
ta.speot.is
Posted 2011-08-12T07:56:31.477
Reputation: 13 727
Thank you. In addition, would most of anti-virus warn me when some other programs are doing so? – None – 2011-08-13T13:30:40.337
While that exports your cookies, that doesn't get you into Google Accounts. Go ahead and take the contents of that cookie and write yourself an application and try to access their account information. There is more to this than just client side. . . – surfasb – 2011-08-13T20:25:50.613
@Dante - highly unlikely that an AV scanner would notify you if an application was reading your Chrome cookies. Further, this sort of behaviour would solve the problem at the wrong level (stop malware on your machine from reading your cookies). Instead, you should be solving it one level up (stop malware on your machine!) – ta.speot.is – 2011-08-14T01:56:47.040
This is one of the most comprehensive answers on SuperUser. I would vote it up twice if I could! – TFM – 2011-08-15T19:30:14.287
Thank you. (and it wouldn't have been so detailed if surfasb hadn't been so wrong. So thanks surfasb, for not knowing how HTTP works!) – ta.speot.is – 2011-08-16T01:35:11.390
-1
When you signed into Gmail or you Google Account the "remember be" option was probably enabled, this told Google you didn't want to have to type in your password every time, so they told your browser (Chrome) to remember your Gmail/Google Account session ID which is saved into what is called a "cookie" that doesn't expire when you exit your browser.
Is this what you wanted to know?
Nexerus
Posted 2011-08-12T07:56:31.477
Reputation: 798
Regarding the bounty, is there anything else you'd like me to clarify in my answer? – ta.speot.is – 2011-08-14T10:36:56.823
I'll try and update when time permits. – ta.speot.is – 2011-08-16T01:34:18.847