Created in early 2004, UNEASYsilence aims to deliver daily coverage of offbeat & generally geeky news. Subscribe via RSS or Email.

READING single

GMail Accounts Hacked, Kinda

Posted in Privacy by Dan at 4:30 pm
closeThis post was published 2 years 3 months 17 days ago and its content may not be valid anymore.

At a Defcon keynote Robert Graham showed by sniffing traffic and stealing cookies you can easily hack sombodies GMail account.

The demonstration highlights how easy unsecure network traffic can make for some very simple session hijacking. One way you can avoid having your Gmail account taken over by people on your network is to use the SSL version — be warned though, any website that relies heavily on cookies for authentication remains vulnerable.

To at least eliminate the packet sniffing angle I highly recommend people use some sort of VPN when connecting to an untrusted network. Also, utilize any websites secure server (https) to encrypt all your web traffic.

Read More

5 Responses to “GMail Accounts Hacked, Kinda”

  1. Phil Bridges says:
    8/6/2007 at 4:49 pm

    Surely the same is true for most (http) web based accounts not to mention POP3 and FTP?

  2. Ian says:
    8/6/2007 at 5:55 pm

    It would be true for any web service that utilized cookies for session-based authentication. Simply sniff the traffic and steal the cookie, and voila, you’re in.

    Phil, do you mean stealing cookies for POP3 and FTP, or just sniffing to get the login info in cleartext?

  3. Sameer Sontakey says:
    8/6/2007 at 8:08 pm

    So how is this done exactly? Like what sorts of programs can I use to sniff traffic to capture cookies and then hi-jack them (insert them into my HTTP headers?). Just curious… O:)

    And I guess the only way to avoid this from happening is by using SSL via the HTTPS (https://www.gmail.com). Don’t really know why gmail.com doesn’t automatically redirect you to HTTPS protocol.

  4. Ian says:
    8/6/2007 at 8:34 pm

    Do a simple google search for sniffing packets. It’s pretty simple to do, but the hard part is isolating the cookie packets to steal. If you actually look further into the DEFCON technique, you’ll see that it really isn’t just a point and click task. Not yet anyway…

  5. AlexTheMartian says:
    8/7/2007 at 12:08 am

    ok, here is the thing I found out. if you visit “HTTP://mail.google.com” without being signed in, you get redirected to a page with the url staring with “HTTPS://www.google.com/…” for the login page, and then after loging in you get sent back to “HTTP://mail.google.com”. Also, if you are already logged in to Gmail, when you visit “HTTP://mail.google.com” you will remain on the HTTP protocol. That is strange. and I have the Gmail Notifier system tray icon, and for some reason that only goes to the HTTP protocol. But then, that program is a few years out-dated, and I just personally hate using Google Desktop :-P

    Anyone can figure out the reasoning of google for a HTTPS to redirect to HTTP after logging in?

Additional comments powered by BackType