Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Gmail Account Hacking Tool

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Gmail Account Hacking Tool

    Quick solution: log into gmail, go to settings and at the bottom choose "Always use https". I found that it wasn't set on my system.

    Source: http://www.hungry-hackers.com/2008/0...king-tool.html

    A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas.

    Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.

    When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.

    Even though when you log in, Gmail forces the authentication over SSL (secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.

    The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks.

    Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. “Google did not explain why using this new feature was so important” he said. He continued and explained the implications of not informing the users, “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”

    If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    Yup, there is no reason not to set it. I changed over a little while ago after I found out it was an option. Its so nice :-)

  3. #3
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    OHHH thanks. Mine wasnt set to anything.

    Thanks.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  4. #4
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Thank you very much for the heads up. I will pass this along.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  5. #5
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Question

    Hmm i have mine just setup so i can access it through outlook.

    Haven't actually logged in using there actual site, so i doubt that i will need to really worry about this.

    But none the less thanks for the heads up.

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Besides setting this option, you can force the session to stay https by including a https when you type in the address.

    Instead of just typing www.gmail.com or gmail.com or etc. type out https://gmail.com and the whole session will be over https, not just the login.

    Who knows why they wouldn't make this a default... They go through the trouble of ensuring that imap and pop3 connections are done over ssl... Why not force https too?!

    BTW: It's nice to see that google docs and the like can now be used over SSL. I really liked the idea of google docs when it came out. The only reason I never used it and denied it on my corporate network was because of the lack of SSL. I know a lot of IT professionals who share various scripts and docs between each other using google docs. I would never join them because of the lack of SSL.
    Last edited by phishphreek; August 23rd, 2008 at 04:52 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Question

    Edit scratch that, in ff3 it stayed in a secure session, but under ie after authenticating it dropped into a normal session.??
    Last edited by t34b4g5; August 23rd, 2008 at 05:18 PM.

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    As I suspected, it would seem that the problem extends beyond Google?

    A security researcher has been in discussions with Google on an exploit he plans to release that would allow a hacker to easily intercept someone's communications with supposedly secure Web sites over an unsecured Wi-Fi network, but other sites, like Facebook, Yahoo Mail, and Hotmail, remain vulnerable.
    Source:

    http://news.cnet.com/8301-1009_3-100....html?hhTest=1

  9. #9
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391
    It is also very possible that Google will make it so that the "always encrypt" mode is automatically enabled when people first log in via "https://gmail.google.com" instead of having to go into settings and enable it manually, Perry says.
    Well at least Google is actually doing something about this, they are taking a step in the write direction and auto turning the switch on for everyone.
    That way those that are less tech savy will also be in the clear.

  10. #10
    Senior Member
    Join Date
    Oct 2007
    Location
    do a whois search on my ip...
    Posts
    268
    Thanks for the heads up, mine wasn't set to anything either!


    Quote Originally Posted by t34b4g5
    Well at least Google is actually doing something about this, they are taking a step in the write direction and auto turning the switch on for everyone.
    That way those that are less tech savy will also be in the clear.

    Yeah where as if it were Microsoft, well you know...
    http://i47.photobucket.com/albums/f1...naturecopy.jpg

    You Haven't Lived Until You Have Died...

Similar Threads

  1. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  2. Google as a Hacking Tool
    By 3rr0r in forum The Security Tutorials Forum
    Replies: 26
    Last Post: December 1st, 2004, 06:31 AM
  3. Want a free GMail account?
    By jehnx in forum AntiOnline's General Chit Chat
    Replies: 85
    Last Post: October 30th, 2004, 07:04 AM
  4. Gmail account to 1st response
    By ss2chef in forum AntiOnline's General Chit Chat
    Replies: 23
    Last Post: September 6th, 2004, 11:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •