TechChee.com, shop online for gadget, gizmo and hot tech stuff

Gadget vista, shop & buy online, gadget online store, corporate gift, software, web 2.0 and tech news

 

Researchers: GMail is vulnerable to sitejacking despite using SSL for its login page!




Posted by ketyung
on Feb/02/2008
at 5:18 am

Bookmark and Share

GMail uses SSL ecryption only for its login page but not the entire user session
CEO of Errata Security, Robert Graham revealed that session ID cookies used in GMail can be easily hijacked and used for other malicious purposes including sending and receiving emails, accessing your private info etc. Although GMail has an secure HTTP or HTTPs option (https://mail.google.com), which user can choose to have their http session encrypted using SSL, but GMail provides an option at the background to fall back to non-HTTPs (or non secure), while the HTTPs fails. In a more technical explanation, GMail makes Ajax HTTP requests via the XMLHttoRequest object. This connection is encrypted by default using SSL, but if SSL fails it will still go through in non-encrypted mode.

When a user depends on WiFi hotspot as the Internet connection for accessing GMail, even though the SSL session fails, the connection is still able to get established as it provides a non-secure mode at background. Which results the session-ID cookies to get transmitted too to the router.

Therefore, it can be captured by anyone sitting nearby with an appropriately configured software suite, and make use of this session ID cookies to read your emails or send malicious emails to others but identified as you.

GMail provides HTTPs encryption only for the login page, but not the entire user session. This is still better than other big sites such as Facebook, MySpace, Yahoo Mail and any other web 2.0 websites (But I think Yahoo Mail has HTTPs too for its login page, and also provides sign-in seal option). But securing only the login page will still expose certain vulnerability as described above. So, Graham recommends sites like GMail, Facebook, MySpace and Yahoo Mail to better follow those financial institutions’ websites, which they encrypt the entire user session instead of being stingy, encrypting the login page only.

GMail makes Ajax HTTP requests via the XMLHttoRequest object, with a fallback to non-ecnrypted option!

via [arstechnica]

GMail,Google Mail,Google Mail security,GMail security,web 2.0,web20

Technorati Tags: , , , , ,

Filed under Blog/Web Related, Security, Tips & Info. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Now you can receive our articles for FREE in your email inbox. To receive more information on gadgets, software, latest news and reviews on technologies, just enter your email:
Email:   Delivered by FeedBurner

Leave a Reply

Subscribe to our newsletter for FREE, just enter your email below:
 

Delivered by FeedBurner

FeedBurner feed subscriber count
Recent Posts

IBM’s biggest brain simulator works as good as a cat’s brain (only)

Wireless Waterproof borescope

First wireless USB external HDD – Imation Pro WX

 

Super tiny spy cam doubles up as a webcam

Flip MinoHD video gets WiFi connectivity

Sony Ericsson Kurara powered by Cortex A8 and PowerVR