Point-and-Click Gmail Hacking Shown at Black Hat

not5150 writes "Using Gmail or most other webmail programs over an unsecured access point just got a bit more dangerous. At Black Hat Robert Graham, CEO of errata security, showed how to capture and clone session cookies very quickly over connections without encryption. He even hijacked a shocked attendee's Gmail account in the middle of his presentation. 'While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google. Graham then clicked on Ou's IP address and Gmail page, complete with Ou's recently sent message on the screen. We photographed both Graham's and Ou's laptop at that time and posted it to the picture gallery. You'll see that the contents are exactly the same.'"

A BLack hat attendee hacked?

[dk90406]

Please. Those guys are supposed to be security wizards! And now one of them is caught using plain HTTP to access gmail? I hope they laughed hard at him. Even securety noobs like me know when to use HTTP and HTTPS.

Luckily gmail keeps the entire session in https opposed to other sides that also are hackable the same way, where only the logon is secure. After that they switch to http and are susceptible (e.g. facebook) to this attack.

There is more on this on Ars Technica: http://arstechnica.com/news.ars/post/20070801-repo rt-sidejacking-session-information-over-wifi-easy- as-pie.html

Re:Could be fixed easily by Google. Shame.

[KingEomer]

Google does support SSL. Try logging into https://gmail.google.com/

However, I do admit that it is rather odd that they don't advertise this. They should make a point of telling users not using https to do so, if possible. I only found out about this from a /. post a week or so ago.