Homepage tabWindows tabGames tabDrivers tabMac tabLinux tabScripts buttonMobile tabHandheld tabGadgets tabNews tab


NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home / News / Security / Hacking News

Hacking News

Gmail Account Automatic Hacking Tool Presented at Defcon

Users are encouraged to enable the permanent https option in Gmail

By Lucian Constantin, Web News Editor

11th of August 2008, 15:57 GMT

Adjust text size:


Gmail account hacking tool presented at Defcon
Enlarge picture
A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas.

Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.

When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.

Even though when you log in, Gmail forces the authentication over SSL (Secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.

The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks.

Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. "Google did not explain why using this new feature was so important" he said. He continued and explained the implications of not informing the users, "This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they're secure but they're really not."

If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.

TAGS:

 Gmail | Hack | Cookie | Seession ID | SSL
Read by 11,545 user(s) | Add comment | Link to this article TWEET THIS


Article rating:
Very Good (4.5/5) 10 vote(s)    

Subscribe to news | Print article | Send to friend

© Copyright 2001-2009 Softpedia
Contact:

 

 

SEARCH THE NEWS ARCHIVE :




Today's News | Yesterday's News | News Archive


MORE RELATED ARTICLES:


Encrypted Data Makes Gmail Safer

FUNNY Way to Hack Gmail

502 Error: Gmail Users Cut Off from Their Accounts

The Name Behind the Gmail Address

Gmail Now Safer

User opinions:


Comment #1 by: Not Met on 20 Aug 2008, 03:42 GMT reply to this comment

Huh? How is this new? Cookies have always been vulnerable to man-in-the-middle attacks.


Comment #2 by: b$ on 20 Aug 2008, 15:19 GMT reply to this comment

Thanks for turning my attention to the new "stay in SSL" gmail feature.


Comment #3 by: abhi on 12 Feb 2009, 09:10 GMT reply to this comment

how to get my password of gmail account when i forgot my password and forgot my answer of alt question

Comment #3.1 by: Lucian Constantin on 12 Feb 2009, 09:59 GMT

If you have an alternative e-mail address registered with your GMail account then it should be quite easy, a password reset link will be sent to it.

If you did not list an alternative e-mail address and you don't remember your password and neither the answer to the security question then there's still hope, but it depends on the GMail support staff.

First wait 24 hours since your failed login attempt. This is very important. Don't use other google services associated with the account either, neither POP3 or IMAP etc.

After 24 hours have passed complete the form located here: http://www.google.com/support/accounts/bin/request.py?ara=1 and then wait for the GMail support staff to investigate and make a decision regarding the validity of your claim.


Comment #4 by: Depinder Bharti on 27 Apr 2009, 06:01 GMT reply to this comment

There is one more similar attack with attachments

Share your opinion:

Your Name:
Your Email Address:
(will not be used for commercial purposes)
Solve this to prove you're not a bot: =
Your review/opinion:

 




Windows tabGames tabDrivers tabMac tabLinux tabScripts tabMobile tabHandheld tabGadgets tabNews tab

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   ENTER NEWS SITE   |   ENGLISH BOARD   |   ROMANIAN FORUM
© 2001 - 2009 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use | Update your software | Archive