Cookies in Gmail, Hotmail, and Yahoo! Mail Pose Security Threat
Cookies are used in your web browser to store information, but have you ever thought about how easy it would be for a hacker to quickly gain access to them? It is actually frighteningly easy as Robert Graham, the CEO of errata security, demonstrated at the Black Hat security convention. All it really takes is a point-and-click of the mouse:
First Graham needs to be able to sniff data packets and in our case the open Wi-Fi network at the convention fulfilled that requirement. He then ran Ferret to copy all the cookies flying through the air. Finally, Graham cloned those cookies into his browser – in easy point-and-click fashion - with a home-grown tool called Hamster.
The attack can hijack sessions in almost any cookie-based web application and Graham has tested it successfully against popular webmail programs like Google’s Gmail, Microsoft’s Hotmail and Yahoo Mail. He stressed that since the program just uses cookies, he only needs an IP address and usernames and passwords aren’t required.
In front of everyone at the convention Graham demonstrated how he could intercept the cookies from a person sending an email. He had someone creat a Gmail account, and in no time at all Graham had intercepted the cookies therefore enabling him to send an email disguised as the victim. As mentioned in the above quote, there were no usernames or passwords needed.
–Secure Yourself–
One of the easiest things that you can do to secure yourself from such an easy attack is to use https:// instead of http:// whenever it is available. Some services like Gmail offer this alternative, and using it encrypts your session using SSL so that these types of attacks don’t happen.
Firefox users (with Greasemonkey), Internet Explorer users (with IE7 Pro or Turnabout), and Opera users can use a script such as this one that is setup to automatically replace the http:// with https:// anytime that you visit Gmail. That way you never have to think about doing it yourself.
You should also try not to visit sites that use sensitive information while connected to a public hotspot, but I think we all know that by now.
Source: TG Daily [via Slashdot]
Enjoyed the post? Subscribe to our feed to get a daily dose of CyberNet!
Tags: Firefox, Freeware, Software, Browser, Email, Gmail, Greasemonkey, Internet Explorer, Mail, Mozilla, Opera, Yahoo
Related Posts:
- Get 4 GB of Storage with Windows Live Mail Plus
- Switch to Yahoo! Mail from Gmail and Hotmail
- Use Yahoo! Mail or Gmail for MailTo Links in Firefox 3
- Yahoo, Hotmail and Gmail Keyboard Shortcuts to Delete Emails
- Helpful Tip: How to Report a Phishing Email
I’ve found the easiest way to “remember” to add the https is to just bookmark gmail and whatever other google apps you use (that support https- not all of them do) is to just bookmark each site with the htpps.
For all you Firefox users, I strongly recommend the use of a fantastic extension called CustomizeGoogle ( http://www.customizegoogle.com ). It offers the option of using https:// instead of http:// on (possibly) all the Google sites that allow it, along with TONS of other useful options. If you’re a Firefox user and a Google fan, this extension is a must.
For Gmail you could also use the fabulous Firefox extension “Better Gmail” that combines several greasemonkey scripts:
http://lifehacker.com/software.....251923.php
It adds tons of functionalities, including encrypted connection (https).
I honestly thought these sites were better than that. I mean if you’re a big name like Google, you’ve got people employed full-time just to work on security. How is it that ALL connections aren’t encrypted?
@dkong: That’s what I normally do, too. It just takes a little extra effort to remember to add the https when you’re bookmarking a site.
@Lappy: That is a great extension, and it does many things that a Google user would love including forwarding to the https.
@lightman: Just make sure you don’t enable too many of those scripts…I noticed a huge slowdown when I did that.
@Alex: I thought the same thing, and it still boggles my mind why Google wouldn’t be enforcing the secure connections. I’m pretty sure that most browsers support it just fine (even mobile ones).
Google must remove support for http and enforce only https. This way there is no chance of a security breach
You should be thankful that Gmail offers the ssl version (Yahoo Mail and Hotmail don’t have something like that). The reason why Gmail doesn’t default to https is that it would consume a lot of resources on both ends and then you’d say Gmail is too slow.
hi who can show me how to attack by cookies??
i hope i can get demo video . sent me .
thank you .
e_mail:qwer1234981@yahoo.com.cn
songqwr123@aol.com