Wi-Fi threat for Gmail users
Gmail accounts are left open to attack on wireless networks because of a flaw in the way that Google handles SSL connections, claims a security researcher.
Gmail is capable of using SSL encryption, if the user places HTTPS before the URL, which protects data from eavesdropping.
The approach is very secure, but if the SSL connection fails, Gmail reverts to sending unencrypted data.
Such a failure can be easily provoked by a hacker, by sending a reset packet to the victim’s PC. This allows them to retrieve an unencrypted session ID, which can be used to masquerade as the victim, gaining access to their account.
Robert Graham, CEO of Errata Security, recently published a blog post on the technique, termed “side jacking”.
The researcher has developed two tools, Ferret and Hamster, which automate side-jacking hacks.
“This also begs the question why I distribute these if they are hacking tools. The answer is: because they demonstrate the problem. People don’t believe a problem exists unless they can see it for themselves,” says Graham.
Such vulnerabilities are not new, and similar attacks were widely demonstrated at last year’s DefCon hacking conference. However, this latest security threat in Gmail means that many users who believe themselves to be secure may in fact be vulnerable to attack.
Google was unavailable for comment at the time of writing.