Is it possible to hack into a gmail address ? - Really scary

September 07, 2007
Who doesn't have a gmail id now a days ? In my honest opinion, I am yet to discover a more user friendly web mail host. Gmail is non-intrusive, provides all the advanced and usable features such as POP3, mail search and much more.

But recently at a Black Hat security convention, Robert Graham, the CEO of errata security, surprised attendees by hijacking a Gmail session on camera and reading the victim’s email. He went even further by demonstrating the attack by taking over another journalist’s Gmail account and then sending emails from that account. Really scary.

So how do you protect yourself from somebody sniffing your email while it is in transit and then hacking into your gmail account ? There is one way to make it much harder for sniffing your mails. That is by sending and receiving mails using Gmail's SSL feature. SSL stands for Secure Sockets Layer and is used to provide secure data transfer across the web, for instance ecommerce sites use SSL to transmit your credit card details. Google provides the SSL feature for gmail and all it takes to enable SSL in Gmail is by typing the address https://mail.google.com instead of http://mail.google.com. Make note of the 's' in 'https'. What this does is instead of encrypting only the username and password, Gmail encrypts the whole mail session and this makes it possible to transfer your mails in a secure manner.

So the next time you decide to log on to your gmail account, use https instead of http and you will be fairly safe from getting your mail sniffed in transit.

3 comments:

  • Good advice! But what can I do if I use the GMail notifier plugin for Firefox? Is it using SSL by default?

  • Unknown

    Sonja,

    You can always use GMail Manager Plugin for firefox. It does everything Gmail Notifier plugin does and has an option to use SSL by default.

  • This is not a gmail hack, but rather a failure of network security and PC security. The same hack will work on any software that transmits passwords or handshaking cookies in the clear, or on a network where packet sniffing of others data streams is improperly permitted.