Comments on: BBC Hacks into GMail Account Over WIFI. Scary S**t.

By: Tony Ash

Tony Ash — Sun, 06 Jun 2010 15:05:59 +0000

Reynhardt van Blommenstein is Hacking a Google G-mail e-mail accounts at will.
He is employed by Millers Attorneys (George & Cape Town) – Western Cape to do so and getting paid for it – Lefevré Joubert – 083 447 1269 – +27 (0)44 874 1140 – van Blommenstein – Great Brakriver – Garden Route South Africa.
Millers Attorneys (George & Cape Town) – Western Cape.
I have complained to Google, Millers Attorneys, Mweb, South African Police, Reynhardt van Blommenstein, Law Society of South Africa no joy.

By: Reynhardt van Blommenstein

Reynhardt van Blommenstein — Sun, 16 May 2010 06:27:55 +0000

Reynhardt van Blommenstein

Hacking Google G-mail e-mail accounts at will.

He is Hacking Google G-mail e-mail accounts at will.

Reynhardt van Blommenstein – Great Brakriver – Garden Route South Africa

Email: reynhardtvb.photography@yahoo.com

Contact Number: Fax: +27 44 696 6364 Tel: +27 82 798 6268

This author made many complaints with no response.

By: Charl Botha

Charl Botha — Sun, 01 Nov 2009 16:55:30 +0000

Apparently GMail has plugged this specific one by also tagging the GX auth cookie as secure, in SSL mode it can only cross via SSL.

See this post from Robert Graham’s blog: http://erratasec.blogspot.com/2008/08/google-vs-sidejacking-round-7.html

By: ewoks

ewoks — Sun, 01 Nov 2009 11:35:47 +0000

it’s not! but u can set it 2 b encrypted for every session..

By: Mark Cheverton

Mark Cheverton — Sun, 01 Nov 2009 11:22:11 +0000

Using https improves things but doesn’t solve the problem which is inherent in the way many web2.0 sites have been built with ajax. Details can be found here: http://arstechnica.com/business/news/2008/02/report-google-mail-vulnerable-to-sidejacking-despite-ssl.ars

By: simo

simo — Sun, 01 Nov 2009 10:31:41 +0000

http or https, makes no difference, because it’s a man in the middle attack (using either dsniff or wsniff), I’ll bet my a** on it. It’s known for years, wake up people.

By: Julian Bond

Julian Bond — Sun, 01 Nov 2009 10:03:46 +0000

Damn, is it 2003 all over again? Unsecure wifi, is unsecure. Who knew?

By: rz

rz — Sun, 01 Nov 2009 09:33:31 +0000

Cookie sniffing (using kismet)

Then move the cookie into your cookie folder and browse google and your auto logged in!

You also get access to all of googles services, eg. you could upload illegal stuff or send abusive comments.

Sessions last a whole hour!

http://xeesoft.com/books/Hacking.W.N.pdf

By: Charl Botha

Charl Botha — Sun, 01 Nov 2009 08:43:09 +0000

This attack is indeed possible using sidejacking. I’ve written the details up in a short post (referring back to this one): http://cpbotha.net/2009/11/01/your-gmail-account-can-be-hacked-over-insecure-wifi/

By: Thomas Costick

Thomas Costick — Sun, 01 Nov 2009 05:31:41 +0000

Google Mail blog recently recommended using HTTPS. Easy to set up in Gmail settings, General tab.

Link to blog post:
http://gmailblog.blogspot.com/2009/10/gmail-account-security-tips.html

Watchdog programme notorious for over-hypeing issues, but this should be addressed.