Gmail vulnerability disclosed at Defcon

Though it's not specific to Gmail, or easily exploitable by users outside your network, a session hijacking demonstration by Robert Graham showed hackers how to take over a users email account by simply sniffing network traffic and stealing cookies. In the demonstration, George Ou volunteered an email address he created to be hacked into -- and it didn't take long.

Though it's not specific to Gmail, or easily exploitable by users outside your network, a session hijacking demonstration by Robert Graham showed hackers how to take over a users email account by simply sniffing network traffic and stealing cookies. In the demonstration, George Ou volunteered an email address he created to be hacked into -- and it didn't take long. Within seconds, the attacker was able to use a point-and-click interface to get access to this account and send a message from it.

The demonstration highlights how easy unsecure network traffic can make for some very simple session hijacking. One way you can avoid having your Gmail account taken over by people on your network is to use the SSL version -- be warned though, any website that relies heavily on cookies for authentication remains vulnerable.

If you don't have Greasemonkey installed, or you still use Internet Explorer, get used to typing "https://www.gmail.com" to check your email -- doing this will safeguard yourself from prying eyes through network sniffing. If you have Firefox, you can install this Greasemonkey script to ensure your session always remains in "secure mode".

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All