Public WiFi is not secure for Web 2.0 services

Do you use GMail, Yahoo! Mail, MySpace, Hotmail or any of the other online services via a public WiFi connection? Guess what? Your online accounts can be hacked in a matter of minutes. Read more at The Register:
Flash: Public Wi-Fi even more insecure than previously thought
How to gain permanent access to Gmail accounts

Users of Yahoo! Mail, MySpace and just about every Web 2.0 service take note: If you access those services using public Wi-Fi, Rob Graham can probably gain unlimited access to your account - even if you logged in using the secure sockets layer protocol.

Graham, who is CEO at Errata Security, demonstrated the hack to attendees of the Black Hat security conference in Las Vegas. The technique uses a plain-vanilla network sniffer to read the cookies returned by Google Mail, Hotmail and scores of other sites after a user has entered login credentials.

The websites rely on the cookie as a session ID to validate the browser as belonging to the person who just logged in. By copying the cookie and attaching it to a completely different browser Errata Security researchers showed it was easy to gain unfettered access to the accounts of others.

"If I sniff your Gmail connection and get all your cookies and attach them to my Gmail, I now become you, I clone you," Graham said during a presentation on Thursday. "Web 2.0 is now fundamentally broken."

The technique allowed Graham to open the Gmail account of an unsuspecting Black Hat attendee who had used the conference access point to get his email. Although the Errata Security chief closed the window several seconds after accessing it, nothing short of good manners prevented him from reading the person's messages, or, for that matter, accessing maps, calendar or other Google properties used by that person.

The hack caught our attention because it shatters a common assumption concerning secure surfing on public access points. Up until now, we felt relatively safe using hotspots to access email as long as we logged in with an SSL session. Yes, we knew that any subsequent pages that were not appended by "https" in the address bar were were susceptible to snooping, but intruders still had no way to access the account itself.

Now we know better. Any session that isn't protected from start to finish by SSL is vulnerable to the hack. And because session IDs generated by most sites are valid for an indefinite period, that means intruders could silently access our accounts for years - even if we regularly change our passwords.
Very elegant hack and very bad news for the uninitiated...

January 2021

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

Environment and Climate
AccuWeather
Cliff Mass Weather Blog
Climate Depot
Ice Age Now
ICECAP
Jennifer Marohasy
Solar Cycle 24
Space Weather
Watts Up With That?


Science and Medicine
Junk Science
Life in the Fast Lane
Luboš Motl
Medgadget
Next Big Future
PhysOrg.com


Geek Stuff
Ars Technica
Boing Boing
Don Lancaster's Guru's Lair
Evil Mad Scientist Laboratories
FAIL Blog
Hack a Day
Kevin Kelly - Cool Tools
Neatorama
Slashdot: News for nerds
The Register
The Daily WTF


Comics
Achewood
The Argyle Sweater
Chip Bok
Broadside Cartoons
Day by Day
Dilbert
Medium Large
Michael Ramirez
Prickly City
Tundra
User Friendly
Vexarr
What The Duck
Wondermark
xkcd


NO WAI! WTF?¿?¿
Awkward Family Photos
Cake Wrecks
Not Always Right
Sober in a Nightclub
You Drive What?


Business and Economics
The Austrian Economists
Carpe Diem
Coyote Blog


Photography and Art
Digital Photography Review
DIYPhotography
James Gurney
Joe McNally's Blog
PetaPixel
photo.net
Shorpy
Strobist
The Online Photographer


Blogrolling
A Western Heart
AMCGLTD.COM
American Digest
The AnarchAngel
Anti-Idiotarian Rottweiler
Babalu Blog
Belmont Club
Bayou Renaissance Man
Classical Values
Cobb
Cold Fury
David Limbaugh
Defense Technology
Doug Ross @ Journal
Grouchy Old Cripple
Instapundit
iowahawk
Irons in the Fire
James Lileks
Lowering the Bar
Maggie's Farm
Marginal Revolution
Michael J. Totten
Mostly Cajun
Neanderpundit
neo-neocon
Power Line
ProfessorBainbridge.com
Questions and Observations
Rachel Lucas
Roger L. Simon
Samizdata.net
Sense of Events
Sound Politics
The Strata-Sphere
The Smallest Minority
The Volokh Conspiracy
Tim Blair
Velociworld
Weasel Zippers
WILLisms.com
Wizbang


Gone but not Forgotten...
A Coyote at the Dog Show
Bad Eagle
Steven DenBeste
democrats give conservatives indigestion
Allah
BigPictureSmallOffice
Cox and Forkum
The Diplomad
Priorities & Frivolities
Gut Rumbles
Mean Mr. Mustard 2.0
MegaPundit
Masamune
Neptunus Lex
Other Side of Kim
Publicola
Ramblings' Journal
Sgt. Stryker
shining full plate and a good broadsword
A Physicist's Perspective
The Daily Demarche
Wayne's Online Newsletter

About this Entry

This page contains a single entry by DaveH published on August 3, 2007 8:30 PM.

Lead paint in the news again. So is China. Separated at birth? was the previous entry in this blog.

That sinking feeling - the current Congress is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.2.9