Automated password hijacking vulnerability in Gmail, Amazon, Facebook, etc.

Brian Krebs on Computer Security

New Tool to Automate Cookie Stealing from Gmail, Others

LAS VEGAS, NEV. -- If you use Gmail and haven't yet taken advantage of a feature Google 
unveiled last week to prevent hackers from hijacking your inbox, now would be an excellent time to do that.

A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://).


http://voices.washingtonpost.com/securityfix/2008/08/new_tool_automates_cookie_stea.html

Brian Krebs on Computer Security

Gmail Gains Two New Security Features

Google this month rolled out two new security features to its free Gmail service. The first should protect users against people who might be lurking on your network trying to snoop or hijack your inbox. The other makes it easy for users to tell if they are signed on in more than one location and then remotely sign that machine out of your account.
http://blog.washingtonpost.com/securityfix/2008/07/gmail_gains_two_new_security_f_1.html

Note Gmail has a fix for it but YOU MUST SELECT THE APPROPRIATE OPTION MANUALLY in your Gmail settings.

Instructions:
Making security easier
Thursday, July 24, 2008 2:00 PM
Posted by Ariel Rideout, Gmail engineer

http://gmailblog.blogspot.com/2008/07/making-security-easier.html

It seems to me that the only GENERAL way to workaround this vulnerability would be always to log out of sites requiring passwords whenever you browse away from the site when you are using a wireless connection.

Note: "browsing away from a site" would/could include switching to another tab in a tabbed browser window.

DH

It seems to me that the only GENERAL way to workaround this vulnerability would be always to log out of sites requiring passwords whenever you browse away from the site when you are using a wireless connection.
The Webmail extension of T-bird support Yahoo & Hotmail among others. I'm thinking that the T-bird Webmail extension would either eliminate or very much reduce this password cookie stealing vulnerability.

Another advantage would be: fewer ads to look at.

It seems to work with my yahoo account. I have both Yahoo webmail and my T-bird Yahoo Webmail extension configured for "classic" web interface.

I may have to adjust some timeout in T-bird to download big email attachments from Yahoo, but so far the T-bird Webmail extension seems to work well enough for me.

http://webmail.mozdev.org

Note: email traffic may well still be unencrypted so this "workaround" of T-bird Webmail extension would only help protect against password cookie stealing but not against other kinds of man-in-the-middle attacks. Of course, since the cookie stealing has apparently already been automated by the bad guys, it would make sense to protect against such a type of attack of stealing password cookies that one would expect to be more prevalent because of it's ease (e.g. in Wi-Fi hotspots).

DH

The Webmail extension of T-bird support Yahoo & Hotmail among others. I'm thinking that the T-bird Webmail extension would either eliminate or very much reduce this password cookie stealing vulnerability.

Another advantage would be: fewer ads to look at.

It seems to work with my yahoo account. I have both Yahoo webmail and my T-bird Yahoo Webmail extension configured for "classic" web interface.

I may have to adjust some timeout in T-bird to download big email attachments from Yahoo, but so far the T-bird Webmail extension seems to work well enough for me.

http://webmail.mozdev.org

Note: email traffic may well still be unencrypted so this "workaround" of T-bird Webmail extension would only help protect against password cookie stealing but not against other kinds of man-in-the-middle attacks. Of course, since the cookie stealing has apparently already been automated by the bad guys, it would make sense to protect against such a type of attack of stealing password cookies that one would expect to be more prevalent because of it's ease (e.g. in Wi-Fi hotspots).

DHI'm pretty sure that the webmail extension , say for Yahoo , still uses HTTP and cookies to login to download mail. If so, this extension for Thunderbird would probably NOT provide any additional protection from man-in-the-middle attacks. Except it might reduce the length of time during which password and/or ID cookie(s) might be available from the program (T-Bird). I would hope that neither T-bird nor the webmail extension would keep the cookies available long term for being requested by servers, but I don't know. :confused:

I'm pretty sure that the webmail extension , say for Yahoo , still uses HTTP and cookies to login to download mail. If so, this extension for Thunderbird would probably NOT provide any additional protection from man-in-the-middle attacks. Except it might reduce the length of time during which password and/or ID cookie(s) might be available from the program (T-Bird). I would hope that neither T-bird nor the webmail extension would keep the cookies available long term for being requested by servers, but I don't know. :confused:

I have found the webmail extension I am using for Yahoo mail on Thunderbird to be rather slow and unreliable. I am thinking about uninstalling it.

Since I have more than one Yahoo account, I have found the Pidgin (formerly GAIM) multiprotocol instant messaging program convenient for quickly logging into my Yahoo acounts with my browser without having to keep Yahoo cookies loaded in the browser. With Pidgin I can have more than one Yahoo account logged into IM and easily and quickly log in to any of the email accounts logged in to Yahoo IM. I.e. all Yahoo accounts remain in IM and I easily can switch back and forth between Yahoo webmail for the accounts without having to reenter the ID and password.

I don't think Miranda multiprotocol IM can do this what Pidgin does.

I forget whether Trillian can (have multiple accounts logged in to the same service.
DH