Gmail vulnerability disclosed at Defcon

Gmail vulnerability disclosed at Defcon

Summary: Though it's not specific to Gmail, or easily exploitable by users outside your network, a session hijacking demonstration by Robert Graham showed hackers how to take over a users email account by simply sniffing network traffic and stealing cookies. In the demonstration, George Ou volunteered an email address he created to be hacked into -- and it didn't take long.

SHARE:

Though it's not specific to Gmail, or easily exploitable by users outside your network, a session hijacking demonstration by Robert Graham showed hackers how to take over a users email account by simply sniffing network traffic and stealing cookies. In the demonstration, George Ou volunteered an email address he created to be hacked into -- and it didn't take long. Within seconds, the attacker was able to use a point-and-click interface to get access to this account and send a message from it.

The demonstration highlights how easy unsecure network traffic can make for some very simple session hijacking. One way you can avoid having your Gmail account taken over by people on your network is to use the SSL version -- be warned though, any website that relies heavily on cookies for authentication remains vulnerable.

If you don't have Greasemonkey installed, or you still use Internet Explorer, get used to typing "https://www.gmail.com" to check your email -- doing this will safeguard yourself from prying eyes through network sniffing. If you have Firefox, you can install this Greasemonkey script to ensure your session always remains in "secure mode".

Topics: Security, Collaboration, Google, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Google Security

    2 weeks ago, Google had a series of security issues reported in Singapore, it was well documented here:

    http://jvyloh.blogspot.com/2007/07/google-serious-security-breach-final.html
    paulloke
  • How can I set SSL "always on" in Gmail?

    Can you tell me how I can use the SSL version of Gmail?
    And does this apply to both the browser and the e-mail client?

    My data:
    Browser: Firefox 2.0.0.6
    E-mail client: Mozilla Thunderbird 1.5.0.12
    OS: Ubuntu Linux 7.04

    Thanks in advance, Pjotr.
    pjotr123
    • Start by reading the article - it told you how!

      Start by reading the article - it told you how!

      Use http[b]s[/b]:// instead of http://

      They also gave a script for GreaseMonkey that does the job.
      CobraA1
    • set SSL always on

      You can also use the Add-on "CustomizeGoogle" which gives you lots of options to customize Google to your liking.
      CzarCar
  • Can be prevented by a good Web App Firewall

    This attack can be easily mitigated. There are several Web Application Firewalls that can track the cookies and prevent session hijacking.
    guyr@...
    • This has ZERO to do with application firewalls

      This has ZERO to do with application firewalls. This has everything to do with Google and all the other "Web 2.0" not implementing SSL. Application security is VERY important but it's a completely different topic.
      georgeou