Man-in-the-Middle Attack on MySpace with Cain

Slimjim100 writes "Last year at ChicagoCon 2007, Brian Wilson gave a great talk entitled "Cain & Abel: Windows Can Hack, Too!" Although the presentation and audio recording of the talk can be downloaded from the ChicagoCon site at Library, I had totally forgotten to publish his videos. Just in case things didn't go as planned during the live event or his laptop crapped out on him, Brian made a video of the MITM attack he demonstrated using Cain. You get to see how Myspace and other social networking sites are not designed with security in mind."

Re:This is not new

[call-me-kenneth]

What did the notice to Myspace/google etc consist of? I can break things on my local LAN, so fix your site? Well, yes.

The point is that, as you observe, it's trivial on many switched LANs to ARP poison and steal session credentials. (It's all about the session, dummy, not the data.) Pinch a Gmail password from a co-worker and you probably own their domain password, brokerage, online banking,... passwords as well.

You're right that this is nothing new, but the fix is really trivial. Use SSL or TLS. Gmail does support this; browse to https://mail.google.com/, bookmark that and you're done. It's not like the cost of the extra cycles is that great compared with ten years ago.