August 5th, 2007
Gmail vulnerability disclosed at Defcon
Though it’s not specific to Gmail, or easily exploitable by users outside your network, a session hijacking demonstration by Robert Graham showed hackers how to take over a users email account by simply sniffing network traffic and stealing cookies. In the demonstration, George Ou volunteered an email address he created to be hacked into — and it didn’t take long. Within seconds, the attacker was able to use a point-and-click interface to get access to this account and send a message from it.
The demonstration highlights how easy unsecure network traffic can make for some very simple session hijacking. One way you can avoid having your Gmail account taken over by people on your network is to use the SSL version — be warned though, any website that relies heavily on cookies for authentication remains vulnerable.
If you don’t have Greasemonkey installed, or you still use Internet Explorer, get used to typing “https://www.gmail.com” to check your email — doing this will safeguard yourself from prying eyes through network sniffing. If you have Firefox, you can install this Greasemonkey script to ensure your session always remains in “secure mode”.
Garett Rogers is employed as a programmer for iQmetrix, which specializes in retail management software for the wireless industry.
See his full profile and disclosure of his industry affiliations.
Subscribe to Googling Google via Email alerts or RSS.
