Gmail vulnerability disclosed at Defcon

Summary:Though it's not specific to Gmail, or easily exploitable by users outside your network, a session hijacking demonstration by Robert Graham showed hackers how to take over a users email account by simply sniffing network traffic and stealing cookies. In the demonstration, George Ou volunteered an email address he created to be hacked into -- and it didn't take long.

Though it's not specific to Gmail, or easily exploitable by users outside your network, a session hijacking demonstration by Robert Graham showed hackers how to take over a users email account by simply sniffing network traffic and stealing cookies. In the demonstration, George Ou volunteered an email address he created to be hacked into -- and it didn't take long. Within seconds, the attacker was able to use a point-and-click interface to get access to this account and send a message from it.

The demonstration highlights how easy unsecure network traffic can make for some very simple session hijacking. One way you can avoid having your Gmail account taken over by people on your network is to use the SSL version -- be warned though, any website that relies heavily on cookies for authentication remains vulnerable.

If you don't have Greasemonkey installed, or you still use Internet Explorer, get used to typing "https://www.gmail.com" to check your email -- doing this will safeguard yourself from prying eyes through network sniffing. If you have Firefox, you can install this Greasemonkey script to ensure your session always remains in "secure mode".

Topics: Security, Collaboration, Google, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.