August 5th, 2007
Watch Out: Gmail Account Hacked Over Wifi at DefCon
By David Johnston
Contributing Writer, RealTechNews
At this year’s DefCon, a disturbing hack was shown off which involved breaking into a victim’s Gmail account over wifi. Robert Graham, who demonstrated this vulnerability, showed how simple the hack was by breaking into an account during a presentation. All he had to do was select an IP address of any computer he was able to see on any wifi network, and watch any cookies traveling between it and the wireless access point. Because Google only uses SSL by default on the login page, cookies sent to Gmail after the login process is completed are vulnerable to interception. What’s worse is that this hack will actually work for any website that uses cookies to track login information–that’s a lot of websites. Graham claimed to have successfully tested his hack on Yahoo Mail as well, for example.
Luckily, all hope is not lost. There is a simple way to guard yourself against this hack even if you are forced to use an unencrypted wifi hotspot or one encrypted using the ineffective WEP. All you have to do is remember to manually tell Gmail to use SSL for the entire session by using the address: https://gmail.com. If you use Firefox like I do, you can also use an extension called CustomizeGoogle to automatically do this for you–just make sure that you enable the “Secure” option for Gmail after installing it. Unfortunately, there are probably a lot of other websites which don’t offer you the option of using SSL to encrypt your entire session. In these cases, my best advice would be to either avoid using these websites on weakly-protected networks or at least use different passwords so that if, for example, a hacker steals your randomwebsite.com login information he or she can’t use it to log into your bank website 
Source: TG Daily
Druid says:
The thing that annoys me about articles like this one are the headlines: designed to grab your attention but in doing so mislead. Having ‘Gmail’ in the headline gets more reads but the story is REALLY about the insecurity of using unencrypted WiFi, not the insecurity of Google mail. Any one who uses public WiFi without encryption is begging for trouble regardless of which email provider they use.
August 6th, 2007 at 11:19 am
David Johnston says:
The reason that Gmail is in the title is that it was the website that the attack was demonstrated on. That’s why it reads “Gmail Account Hacked Over Wifi at DefCon”, because that’s what happened. I clearly state in the first paragraph that this affects a large number of other websites (almost all websites that one logs into).
August 6th, 2007 at 12:15 pm
Alan Parekh says:
I always feel a little less secure the week following Defcon.
August 6th, 2007 at 3:44 pm
Tech Coach » Blog Archive » USE SSL! says:
[…] Source: RAW Feed A speaker at DefCon demonstrated live how it’s possible to choose any IP address visible on an wireless network, and intercept the cookies being exchanged. That enabled him to GRAB PASSWORDS. In the demo, he used utilities called Hamster and Ferret created by Errata Security to snatch a Gmail password, but says Yahoo passwords are snatchable as well. The solution? use SSL by typing https in front of the URL instead of http (as in https://gmail.com).(props to RealTechNews) […]
August 7th, 2007 at 2:22 pm
The All New Ewan’s Musings » Blog Archive » links for 2007-12-09 says:
[…] » Watch Out: Gmail Account Hacked Over Wifi at DefCon » Blog Archive Alice Hill’s Real Tech News - Independent Tech There is a simple way to guard yourself against this hack… All you have to do is remember to manually tell Gmail to use SSL for the entire session by using the address: https://gmail.com. (tags: gmail hack defcon wifi security) […]
December 8th, 2007 at 9:24 pm
gurdeep says:
how to hacking the gmail
March 24th, 2008 at 11:04 pm