The Next Web

BBC Hacks into GMail Account Over WIFI. Scary S**t.

By Zee
October 31, 2009
Tweet This
Tip Techmeme
Submit to Hackernews

Share


Comments

BBC Watchdog is British TV program that investigates viewers’ reports of problematic experiences with traders, retailers, and other companies around the UK. A recent investigation has discovered that wi-fi hot spots across the country are not secure – leaving tens of thousands of users at risk of fraud.

In this particular case they reveal how easy it is to hack into someones GMail account over Wifi, sending emails and changing their password. According to Danny Sullivan who shared the link on Twitter, if he’d signed via secure https, he’d probably have been safe – can anyone verify?

If you can’t see the video below, watch it here.

BBC Hacks into GMail Account Over WIFI. Scary S**t.
Tags: , ,  

  • Bruce
    I don't understand... signing into gmail uses https: to sign in. As an option I also use the gmail setting to use https: all the time so the entire session is encrypted. I wonder if the point of this is that the user didn't have https: option on. I guess I am wondering what makes using the hot spot un-secure. I think with https on all the time then you are safe.
  • Dennis
    I think Gmail doesn't use https all the time by default. Shame!
  • ewoks
    it's not! but u can set it 2 b encrypted for every session..
  • Haas
    There sharing not many details as, did he got his pw?
  • Zac
    It would be nice if they included more technical details, but I bet this wouldn't be possible if the connection were over https. You can turn off unencrypted http access in your gmail settings, which will force the more secure https. But it's probably not hacker-proof.
  • Its a scare tactic video made for the majority of the population who are dumber than a box of rocks. That's why they included ZERO technical details.
  • Google Mail blog recently recommended using HTTPS. Easy to set up in Gmail settings, General tab.

    Link to blog post:
    http://gmailblog.blogspot.com/2009/10/gmail-acc...

    Watchdog programme notorious for over-hypeing issues, but this should be addressed.
  • This attack is indeed possible using sidejacking. I've written the details up in a short post (referring back to this one): http://cpbotha.net/2009/11/01/your-gmail-accoun...
  • rz
    Cookie sniffing (using kismet)

    Then move the cookie into your cookie folder and browse google and your auto logged in!

    You also get access to all of googles services, eg. you could upload illegal stuff or send abusive comments.

    Sessions last a whole hour!

    http://xeesoft.com/books/Hacking.W.N.pdf
  • Damn, is it 2003 all over again? Unsecure wifi, is unsecure. Who knew?
  • simo
    http or https, makes no difference, because it's a man in the middle attack (using either dsniff or wsniff), I'll bet my a** on it. It's known for years, wake up people.
  • Using https improves things but doesn't solve the problem which is inherent in the way many web2.0 sites have been built with ajax. Details can be found here: http://arstechnica.com/business/news/2008/02/re...
  • Apparently GMail has plugged this specific one by also tagging the GX auth cookie as secure, in SSL mode it can only cross via SSL.

    See this post from Robert Graham's blog: http://erratasec.blogspot.com/2008/08/google-vs...
blog comments powered by Disqus
 


TwitterCounter