At Defcon, hackers demonstrated a tool to hack into GMail accounts by using snooping unencrypted data (man-in-the-middle attack) with cookies which GMail uses for everything other than login by default.
Now Google has introduced the ability to optionally encrypt any transmission to / from GMail and not just the login sequence. Previously login sequence was encrypted only. All other data was transmitted unencrypted making it vulnerable to hackers. That means every email, every article that you are reading on your GMail account is transmitted unencrypted over the web.
This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once the hackers gets the session ID, hacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are more vunerable than the ones using secure wired networks.
Now Google has introduced the ability to optionally encrypt any transmission to / from GMail and not just the login sequence. Previously login sequence was encrypted only. All other data was transmitted unencrypted making it vulnerable to hackers. That means every email, every article that you are reading on your GMail account is transmitted unencrypted over the web.
This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once the hackers gets the session ID, hacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are more vunerable than the ones using secure wired networks.
Comments
Post a Comment