Previously some recent security problems in Google’s e-mail service Gmail have been covered. If back then you did not feel the urge to take any precaution this might be the right time to do so. On the Defcon Hackers Conference in Las Vegas, Mike Perry announced the upcoming release of a tool automating the Gmail hacking process.
The reverse engineer from San Francisco said he informed Google about the security problems in Gmail more than a year ago, but that he is dissapointed by the lack of attention for it. As a result, the tool will be released in a few weeks.
When logging into Google, a cookie containing your session ID is installed so that you stay logged in and acces different Google websites without entering your password everytime. Upon your login Google makes the authentification over an encrypted SLL connection (Secure Socket Layer), but mostly to save on bandwith, it reverts back to an unencrypted connection afterwards. However, when content is accessed from Gmail, such as images, the same cookie containing your session ID is send to the website of the served image. If hackers detect traffic somewhere and upload a picture, they can trace the session ID when the picture is viewed and login to your account.
One way to avoid your login details to be stolen is to permanently enable SLL in your interaction with Google. In Gmail this option can be checked in the Settings, when you choose ‘always use https’. The connection is then always encrypted. Problems may appear on corporate networks though, as many of these block encrypted outgoing messages that have not been identified by the system. An SSL connection might also slow things down if you are surfing on low bandwith.
It is curious whether Google will take action against this hole in their system and improve their security or if they will leave the choice up to the casual user to enable SSL. It’s better to be safe than sorry though, so precautions are recommandable.
Entries (RSS)