GMail WIFI hack revealed

[JenniP]

Security researchers have presented a GMail hack at the Black Hat conference today.

The hack involves sniffing the cookies returned by Gmail after the user has logged in, even though the actual login process is handled by HTTPS the rest of the site is HTTP based allowing the cookie to be sniffed.

Once you have the captured cookie this will allow you unlimited access to that person's mail account.

To perform this hack you need to be able to sniff HTTP traffic, and thats where the WIFI comes in with the way most internet traffic is routed now its very difficult to sniff these cookies except by means of an insecure WIFI connection.

Other Web2.0 applications may also be at risk from this kind of attack, although banking applications are unlikely to be at risk.

Jen

[Smash]

Mozilla Firefox has a great add-on for editing cookies. I've added it and looked at my own before.

I think though that the info is Hashed, so may need to be cracked, read, and then re-inserted.

This isn't good for Gmail, people can SMTP from there standard accounts.

[JenniP]

Thats the point of the hack, you just need to have the cookie, no changing the cookie needed.

Seems the cookie doesnt time out, and isnt locked to a particular IP.

Jen

[niki]

The best way is to delete your cookies everytime you log out but mostly the cookies are timed out after sometime no I don't think that someone can actually hack in your account after you log out from your account properly.

[JenniP]

Actually Niki thats exactly what this hack does, the existence of the valid cookie is enough to give you access to that site. Whether you delete, remove or even eat the cookie doesn't stop it existing elsewhere giving someone else access to the site.

Of course it does depend a lot on how the programmers devised the authentication system, whether its locked to a particular IP or whether logging out invalidates the cookie on the remote side but on the whole developers dont think of these things.

Jen

[James]

Originally Posted by JenniP

Of course it does depend a lot on how the programmers devised the authentication system, whether its locked to a particular IP or whether logging out invalidates the cookie on the remote side but on the whole developers dont think of these things. Jen

So is that the key, to invalidate as well as to delete the cookie? As someone who has never coded in anything more powerful than Basic, is that hard to do?

[attagirl]

This is always good information to have. Does anyone know what google plans to do about since they are the ones that have not properly setup security to avoid issues such as this.