A demonstration of a new set of software tools at the Black Hat hacker conference in Las Vegas has highlighted the danger of using public Wi-Fi to log into online services.

Robert Graham of Errata Security was able to hijack a GMail account in real time during the demonstration. It had been thought that sites such as Gmail were safe because they encrypted data when people logged in.

Graham developed two programs — “Hamster” and “Ferret” – to monitor the flow of information flow across a public Wi-Fi hotspot and grab unencrypted cookies that are used by web sites to validate browsers of users who have logged in.

Using the Gmail account of a hapless Black Hat attendee who was checking his email, Graham showed it was possible to intercept the validation cookie, attach it to web browser running on his machine, and gain access to the attendee’s account.

Hackers could use the same technique to access gain access to other mail services, as well as social networking sites like MySpace.  Once a hacker had seized an account he or she could then change the password making it impossible for the legitimate user to access  their account.

“If I sniff your Gmail connection and get all your cookies and attach them to my Gmail, I now become you, I clone you, Web 2.0 is now fundamentally broken,” said Graham according to a report by The Register.

Graham advised that the only way someone could protect themselves was to use Google to select options that automatically keep Gmail encrypted during the whole session.

Graham plans to make the tools available on his company’s web site. 

Related:

Entry was posted on Friday, August 3rd, 2007 at 1:36 pm under Google, Security, Wi-Fi.

Read more entries by John Pospisil.
Stumble It!