davidh
August 10th, 2008, 09:27 PM
Automated password hijacking vulnerability in Gmail, Amazon, Facebook, etc.
Brian Krebs on Computer Security
New Tool to Automate Cookie Stealing from Gmail, Others
LAS VEGAS, NEV. -- If you use Gmail and haven't yet taken advantage of a feature Google unveiled last week to prevent hackers from hijacking your inbox, now would be an excellent time to do that.
A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://).
http://voices.washingtonpost.com/securityfix/2008/08/new_tool_automates_cookie_stea.html
Brian Krebs on Computer Security
Gmail Gains Two New Security Features
Google this month rolled out two new security features to its free Gmail service. The first should protect users against people who might be lurking on your network trying to snoop or hijack your inbox. The other makes it easy for users to tell if they are signed on in more than one location and then remotely sign that machine out of your account.
http://blog.washingtonpost.com/securityfix/2008/07/gmail_gains_two_new_security_f_1.html
Note Gmail has a fix for it but YOU MUST SELECT THE APPROPRIATE OPTION MANUALLY in your Gmail settings.
Instructions:
Making security easier
Thursday, July 24, 2008 2:00 PM
Posted by Ariel Rideout, Gmail engineer
http://gmailblog.blogspot.com/2008/07/making-security-easier.html
It seems to me that the only GENERAL way to workaround this vulnerability would be always to log out of sites requiring passwords whenever you browse away from the site when you are using a wireless connection.
Note: "browsing away from a site" would/could include switching to another tab in a tabbed browser window.
DH
Brian Krebs on Computer Security
New Tool to Automate Cookie Stealing from Gmail, Others
LAS VEGAS, NEV. -- If you use Gmail and haven't yet taken advantage of a feature Google unveiled last week to prevent hackers from hijacking your inbox, now would be an excellent time to do that.
A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://).
http://voices.washingtonpost.com/securityfix/2008/08/new_tool_automates_cookie_stea.html
Brian Krebs on Computer Security
Gmail Gains Two New Security Features
Google this month rolled out two new security features to its free Gmail service. The first should protect users against people who might be lurking on your network trying to snoop or hijack your inbox. The other makes it easy for users to tell if they are signed on in more than one location and then remotely sign that machine out of your account.
http://blog.washingtonpost.com/securityfix/2008/07/gmail_gains_two_new_security_f_1.html
Note Gmail has a fix for it but YOU MUST SELECT THE APPROPRIATE OPTION MANUALLY in your Gmail settings.
Instructions:
Making security easier
Thursday, July 24, 2008 2:00 PM
Posted by Ariel Rideout, Gmail engineer
http://gmailblog.blogspot.com/2008/07/making-security-easier.html
It seems to me that the only GENERAL way to workaround this vulnerability would be always to log out of sites requiring passwords whenever you browse away from the site when you are using a wireless connection.
Note: "browsing away from a site" would/could include switching to another tab in a tabbed browser window.
DH