Gmail And Yahoo! Mail Hacked - How To Protect Yourself

August 17, 2007 11:05am CST
In front of a live audience at the Black Hat security convention, Robert Graham (CEO Errata Security) showed how it was possible to hack into popular email programs like Gmail, Yahoo! Mail and Hotmail without using any passwords. All he needed was an IP Address and username. At the convention, Graham was able to hijack someone’s Gmail account during his unscripted demonstration. The attack is actually quite simple. First Graham needs to be able to sniff data packets and in our case the open Wi-Fi network at the convention fulfilled that requirement. He then ran Ferret to copy all the cookies flying through the air. Finally, Graham cloned those cookies into his browser – in easy point-and-click fashion - with a home-grown tool called Hamster. -Source TG Daily The attack is able to hijack sessions in just about any web application that uses cookies. He was able to successfully break into the big three: Gmail, Yahoo! Mail and Hotmail. As Graham stated, “I see ten people’s cookies on my screen, I just need to click on the guy’s IP address and I’m in. Once you get someone’s Google account, you’d be surprised at the stuff you’d find." How You Can Protect Yourself What can you do to safeguard your email, especially in public Wi-Fi hotspots? Be sure to use a secure login (HTTPS instead of HTTP) every single time. This will send your credentials over an encrypted Secure Sockets Layer (SSL), which will encrypt your login session and prevent your cookies from being cloned. For Gmail: Use For Yahoo!: Click the "Secure" link below the "Sign In" button. For Hotmail: Click the "Sign in using enhanced security" link on the sign in form. If you have any login pages (for any type of online account) bookmarked, be sure to check and see if they have secure login pages available. Then, update your bookmarks to those pages.
3 people like this
4 responses
@suspenseful (40312)
• Canada
1 Nov 07
Thank you for the information. I guess that means that I will have to enter my password all the time. Oh and in gmail, does that mean that I will not longer have access to my blogger and to my photos? I use them a lot.
• Bangladesh
18 Aug 07
Think this is very better for all while protect their
@teflon09 (208)
• India
17 Aug 07
Hi punjabirapper, pretty cool info.. Thanks.. well, what if a site does not offer SSL to us.. I enter some password protected sites which don't have SSL mechanism nor 128-bit encryption.. Are we at loss? Please lemme know.. thanks again.
@theprogamer (10539)
• United States
17 Aug 07
Cannot stress enough that people really need to be careful with their online business/transactions/etc. Be especially careful in public wi-fi spots and using public computers (people tend to forget to log out on public computers). Be wary of copycat/squatter sites and make sure to look for the https when signing into crucial accounts.