Gmail And Yahoo! Mail Hacked - How To Protect Yourself

Tweet

In front of a live audience at the Black Hat security convention, Robert Graham (CEO Errata Security) showed how it was possible to hack into popular email programs like Gmail, Yahoo! Mail and Hotmail without using any passwords. All he needed was an IP Address and username. At the convention, Graham was able to hijack someone’s Gmail account during his unscripted demonstration. The attack is actually quite simple. First Graham needs to be able to sniff data packets and in our case the open Wi-Fi network at the convention fulfilled that requirement. He then ran Ferret to copy all the cookies flying through the air. Finally, Graham cloned those cookies into his browser – in easy point-and-click fashion - with a home-grown tool called Hamster. -Source TG Daily The attack is able to hijack sessions in just about any web application that uses cookies. He was able to successfully break into the big three: Gmail, Yahoo! Mail and Hotmail. As Graham stated, “I see ten people’s cookies on my screen, I just need to click on the guy’s IP address and I’m in. Once you get someone’s Google account, you’d be surprised at the stuff you’d find." How You Can Protect Yourself What can you do to safeguard your email, especially in public Wi-Fi hotspots? Be sure to use a secure login (HTTPS instead of HTTP) every single time. This will send your credentials over an encrypted Secure Sockets Layer (SSL), which will encrypt your login session and prevent your cookies from being cloned. For Gmail: Use https://mail.google.com/mail/ For Yahoo!: Click the "Secure" link below the "Sign In" button. For Hotmail: Click the "Sign in using enhanced security" link on the sign in form. If you have any login pages (for any type of online account) bookmarked, be sure to check and see if they have secure login pages available. Then, update your bookmarks to those pages.