RSSHOWTO - Protect GMail from session snatching
By default, Google Mail sets a session cookie that doesn't have the secure flag, meaning that if you log in to GMail, leave, and later return to the unencrypted "http://" URL (instead of "https://"), your browser will transmit your session information in plain-text to the server. This problem gained some attention last year and we mentioned a couple of strategies to get around the problem, either by using a Firefox plugin, or by only using GMail and logging out before browsing other sites.
A tool was recently released called Surf Jack, which is demonstrated in the video above. Surf Jack makes it incredibly easy to steal the credentials from another user's GMail session. An attacker could take this into a typical coffee shop, wait for someone to check their mail, and then harvest their session. This gives the attacker complete access to anything confidential that the victim may have in their inbox.
Thankfully, since the problem was identified last year, Google added an additional setting in the GMail settings panel that fixes the problem. It looks like this:
If you go into the Settings panel, choose "Always use https", and save your changes, GMail will change its default behavior and use the secure flag on its session cookie. From that point forward, you'll no longer be vulnerable to GMail session snatching, regardless of what machine or browser you use to check your mail.
I'm not sure why this isn't the default value, but it isn't, so go change it.
Surf Jack - HTTPS will not save you
Posted by Jason Striegel |
Aug 12, 2008 09:04 PM
Gmail |
Permalink
| Comments (4)
Recent Entries
- Basement Apollo Guidance Computer
- Pringles can macro photography
- YouTube Comment Snob
- iPhone macro focus
- Multitouch touch-pad support for Linux laptops
- Dealing with large numbers of files in Unix
- Wii Physics
- Display batting stats in a Google Gadget
- Roomba controlled by Wii Balance Board
- Pixlr: Flash photo editor
Comments
Newest comments listed first.
| Posted by: Semantik on August 12, 2008 at 9:43 PM |
just updated my gmail settings... appreciate the tip!
| Posted by: Ron on August 13, 2008 at 11:21 AM |
this is the lamest thing I've ever seen in hackszine.com
now you start crediting script kiddies?
really bad. this is not a hack at all!
| Posted by: Kyoorius on August 15, 2008 at 6:26 AM |
Your Blackberry (or other mobile device) Gmail client may go bezerk after enabling "always use https" from the web.
To fix, go into the "More->settings" menu on your mobile phone client and check "always use secure connection".
| Posted by: Zed on September 1, 2008 at 11:10 AM |
Thanks for making this vulnerability and the fix known.
Leave a comment
Bloggers
Welcome to the Hacks Blog!
Brian Jepson
Jason Striegel
Phillip Torrone
Categories
- Ajax
- Amazon
- AppleTV
- Astronomy
- Baseball
- BlackBerry
- Blogging
- Body
- Cars
- Cryptography
- Data
- Design
- Education
- Electronics
- Energy
- Events
- Excel
- Excerpts
- Firefox
- Flash
- Flickr
- Flying Things
- Food
- Gaming
- Gmail
- Google Earth
- Google Maps
- Government
- Greasemonkey
- Hacks Series
- Hackszine Podcast
- Halo
- Hardware
- Home
- Home Theater
- iPhone
- iPod
- IRC
- iTunes
- Java
- Kindle
- Knoppix
- Language
- LEGO
- Life
- Lifehacker
- Linux
- Linux Desktop
- Linux Multimedia
- Linux Server
- Mac
- Mapping
- Math
- Microsoft Office
- Mind
- Mind Performance
- Mobile Phones
- Music
- MySpace
- MySQL
- NetFlix
- Network Security
- olpc
- OpenOffice
- Outdoor
- Parenting
- PCs
- PDAs
- Perl
- Philosophy
- Photography
- PHP
- Pleo
- Podcast
- Podcasting
- Productivity
- PSP
- Retro Computing
- Retro Gaming
- Science
- Screencasts
- Security
- Shopping
- Skype
- Smart Home
- Software Engineering
- Sports
- SQL
- Statistics
- Survival
- TiVo
- Transportation
- Travel
- Ubuntu
- Video
- Virtualization
- Visual Studio
- VoIP
- Web
- Web Site Measurement
- Windows
- Windows Server
- Wireless
- Word
- World
- Xbox
- Yahoo!
- YouTube
Archives
Recent Posts
- Basement Apollo Guidance Computer
- Pringles can macro photography
- YouTube Comment Snob
- iPhone macro focus
- Multitouch touch-pad support for Linux laptops
- Dealing with large numbers of files in Unix
- Wii Physics
- Display batting stats in a Google Gadget
- Roomba controlled by Wii Balance Board
- Pixlr: Flash photo editor
www.flickr.com
|
