Gmail Account Hacking [ PLEASE READ ]

Basq · 25-08-2008 11:18am #1

Sorry if has been posted already but..

Very interesting!

Earlier this month, at a well-known conference, there was announced a tool that can hack into any GMail account, regardless of how good your password is, as long as the data is flitting around unencrypted.

..

Google has always had it so that your login credentials flit around encrypted, but once that's done, drops you to an unencrypted session (for long reasons that work out to "it's cheaper that way" for several kinds of "cheaper"). This will leave you quite open to this tool when it's released into the wild at the end of the month.

However, there's help! Google has just made it so that you can choose to have all your GMail traffic encrypted, and I would recommend this to any GMail user, even if you think "oh, my e-mail isn't that important". It's really easy to fix this. Actually, they should fix the dodgamn underlying bug, but leaving that aside for now, here's what you can do:

Simply log into GMail, and click on the Settings link over in the top right corner. At the bottom of this screen is a section labelled "Browser Connection", which by default is set to "Don't always use https". Change this to "Always use https", then click the "Save changes" button directly below. That "should" keep you safe from people using this fascinating new toy.

Ciaran500 · 25-08-2008 11:22am

How does it work? Is it installed on a Gmail users computer or is it remote?

barnicles · 25-08-2008 11:24am

What little f*cker did that?:mad::mad::mad::mad::mad::mad::mad::mad::mad::mad::mad::mad::mad:

Basq · 25-08-2008 11:27am

To be honest, I think it's unbelievable that Gmail isn't encrypted anyways.

I always thought it was judging by the login page but when viewing your Inbox / Sent Items folders (etc), it's all unencrypted.

MarkR · 25-08-2008 11:32am

Just changed my settings, thanks.

dbs_sailor · 25-08-2008 11:33am

basquille wrote: »

To be honest, I think it's unbelievable that Gmail isn't encrypted anyways.

I always thought it was judging by the login page but when viewing your Inbox / Sent Items folders (etc), it's all unencrypted.

Well, more security can only be a good thing!

I've got ridiculous amounts of personal data on my Gmail account. I may do a cleanout.

It'll be interesting to see how this tool works.

Stephen · 25-08-2008 12:37pm

Funny how they always require encryption when you use their imap/smtp service but not their web mail service.

aidan_walsh · 25-08-2008 1:22pm

Ciaran500 wrote: »

How does it work? Is it installed on a Gmail users computer or is it remote?

Its local, based on an flag that is usually not set in the cookie of an SSL-connected site. Google have fixed the issue so the new cookie will block the exploit.

So the new entry to your Buzzword Bingo cards these days is "Surfjacking" (link contains a video demo).

yoyo · 25-08-2008 1:35pm

Changed setting to https just there cheers

Nick

Gadgetman496 · 25-08-2008 4:14pm

Cheers for the heads up.

-

ajmull · 25-08-2008 4:44pm

Thanks for that tip. I have changed my settings.

Overheal · 25-08-2008 6:02pm

yes yes. That is part of the argument behind restructuring the web, for all of the poor security protocols. but thats not something they can just change overnight, is it.

Soundman · 26-08-2008 1:53am

Anyone else using the taskbar Gmail Notifier? Once I changed my settings in my Gmail account, I can no longer connect to the Gmail account with my notifier....

Anyone else notice this?

Edit: Just changed the setting back and immediately I can connect to my Gmail account with Gmail notifier.

Basq · 26-08-2008 2:22am

Soundman wrote: »

Anyone else using the taskbar Gmail Notifier? Once I changed my settings in my Gmail account, I can no longer connect to the Gmail account with my notifier....

Anyone else notice this?

Edit: Just changed the setting back and immediately I can connect to my Gmail account with Gmail notifier.

Yeah, this was noted on the original blogpost in one of the comments alright.

Small price to pay to be honest.

Does it still work if you use Google Talk?

Soundman · 26-08-2008 2:27am

I don't use Google Talk, so I don't know I'm afraid.

Jonathan · 26-08-2008 9:06am

Still no sign of forcing ssl on education google hosted mail.

Auvers · 26-08-2008 9:17am

demo on how another tool does a similar job

http://www.0x000000.com/index.php?i=628&bin=1001110100

scotsmarc · 26-08-2008 9:28am

Maybe this is why you should always go with a quality mail provider.

Wagon · 26-08-2008 9:33am

Cheers for that one!

seamus · 26-08-2008 9:35am

Soundman wrote: »

Anyone else using the taskbar Gmail Notifier? Once I changed my settings in my Gmail account, I can no longer connect to the Gmail account with my notifier....

Anyone else notice this?

Edit: Just changed the setting back and immediately I can connect to my Gmail account with Gmail notifier.

I'm using the plugin for Firefox and my Gmail account was disabled this morning, I'm assuming by the plugin attempting to connect. Just re-enabled it and bingo-bango.

Jonathan · 26-08-2008 9:45am

scotsmarc wrote: »

Maybe this is why you should always go with a quality mail provider.

Like who? :rolleyes:

rosboy · 26-08-2008 12:36pm

There's a patch for Gmail Notifier to fix the problem created when you turn on "Always use HTTP" setting

tman · 26-08-2008 12:44pm

basquille wrote: »

Yeah, this was noted on the original blogpost in one of the comments alright.

Small price to pay to be honest.

Does it still work if you use Google Talk?

Google talk is still working fine for me after enabling that setting.
Thanks for the heads up, I'll pass this on

Basq · 26-08-2008 12:47pm

tman wrote: »

Google talk is still working fine for me after enabling that setting.
Thanks for the heads up, I'll pass this on

No worries tman. Assumed Google Talk would work alright.

I wouldn't normally post this stuff.. but work with computing and developing websites is one of the primary areas I work in, and to leave your mail possibly compromised in an unsecured session is unforgivable really.

rosboy wrote: »

There's a patch for Gmail Notifier to fix the problem created when you turn on "Always use HTTP" setting

Cheers for that rosboy.

thebandito600 · 26-08-2008 1:07pm

cheers i just changed mine there

Conor108 · 26-08-2008 6:50pm

I've done this but I still get spam mail sent from me to me? Why is from me? I've changed my password and always log in via https. Anyone know?

barnicles · 26-08-2008 6:52pm

Soundman · 26-08-2008 11:21pm

Thanks for that rosboy. Worked a treat.

brav · 27-08-2008 2:25am

I just checked my gmail account and all my pages are using https, also I couldn't see the option to use https in the settings.(see attachment)

I also installed Better Gmail 2.0 and it has an option to force https, which is unticked but gmail is already using https

Is there something I'm missing?

UPDATE: I just realised I'm using Coporate Gmail or something(www.google.com/a/) and it seems this is always https, thus the reason I don't have the option to turn it off.
Checked a normal gmail account it had the option.
I use Gmail manager to get notifications in the status bar in Firefox and it works OK with Gmail corporate/apps(or whatever they are calling it)

Alzar · 27-08-2008 11:35pm

Updated my settings.

Thanks!

Gmail Account Hacking [** PLEASE READ **]

Comments

Gmail Account Hacking [ PLEASE READ ]