Watch Out: Gmail Account Hacked Over Wifi at DefCon

At this year’s DefCon, a disturbing hack was shown off which involved breaking into a victim’s Gmail account over wifi. Robert Graham, who demonstrated this vulnerability, showed how simple the hack was by breaking into an account during a presentation. All he had to do was select an IP address of any computer he was able to see on any wifi network, and watch any cookies traveling between it and the wireless access point. Because Google only uses SSL by default on the login page, cookies sent to Gmail after the login process is completed are vulnerable to interception. What’s worse is that this hack will actually work for any website that uses cookies to track login information–that’s a lot of websites. Graham claimed to have successfully tested his hack on Yahoo Mail as well, for example.Luckily, all hope is not lost. There is a simple way to guard yourself against this hack even if you are forced to use an unencrypted wifi hotspot or one encrypted using the ineffective WEP. All you have to do is remember to manually tell Gmail to use SSL for the entire session by using the address: https://gmail.com. If you use Firefox like I do, you can also use an extension called CustomizeGoogle to automatically do this for you–just make sure that you enable the “Secure” option for Gmail after installing it. Unfortunately, there are probably a lot of other websites which don’t offer you the option of using SSL to encrypt your entire session. In these cases, my best advice would be to either avoid using these websites on weakly-protected networks or at least use different passwords so that if, for example, a hacker steals your randomwebsite.com login information he or she can’t use it to log into your bank website