WiFi Could Expose Gmail to Hacking
People who use WiFi connection to access Gmail accounts on Google Inc. or accounts in the Facebook social networking site could potentially fall victim to hacking, according to Errata Security Inc., a company providing computer security.
Robert Graham representing Errata Security showed how to hack a Gmail account while demonstrating at the Black Hat Conference at Las Vegas. Till then, people thought Gmail and other similar sites were safe since they encrypted entries when users logged in.
Graham used the Gmail account of an attendee at Black Hat who was reading his e-mail to show how to tap the validation cookie, join it to a web browser on the PC, and reach the attendee's account.
Most websites have encryption service for passwords when they are typed in, but because the service is expensive, there is no further encryption like the information communicated between a browser and a site, the researchers wrote in a paper at the conference held in the first week of August 2007.
By using the same method, hackers could sneak into other mail accounts too. This is also possible for social networking sites such as MySpace. After seizing an account, the hacker usually modifies the password that would no longer let the legitimate user access his/her account.
The technique could also enable the hacker to read e-mail, post material on blogs, or perform other malicious operations. Meanwhile, the person under attack is taken to the Web page he/she wanted to visit. Errata called this 'sidejacking'.
A solution to this problem is not to connect to public WiFi unless the user employs a secure sockets layer or Virtual Private Networking (VPN) to access his/her account, Graham wrote in a study paper. PCWorld reported this on August 1, 2007.
If A sniffs B's Gmail connection and obtain all of B's cookies to join it to A's Gmail account, then A imbibes the identity of B that fundamentally breaks Web 2.0 processes, Graham explained. The Register reported this on August 2, 2007.
For protection, Graham suggested users to select Google options, which keep the Gmail encrypted automatically during the entire session.
Related article: Web Browsers Too Have Security Exploits
» SPAMfighter News - 14-08-2007