GMail at gunpoint

    Robert Graham, CEO of Errata Security, said encryption services from companies such as Google Gmail could provide access to temporary cookies (session cookies). This is a continuation of his messages made in August 2007 that SSL HTTPS Gmail sessions should have better protection.

    Graham, working with David Maynor, created two tools (Ferret and Hamster) that together help him access temporary files, for example, in a local hot spot, such as an Internet cafe. Temporary files allow you to make purchases in online stores, and then return to the store page later without re-entering the password. Using temporary files received from the user's PC, you don’t even have to decode the password, writes The Register.

    Graham made a demonstration of an attack on a Gmail account during a Black Hat USA 2007 conference, showing how to get to the inbox.

    Now Graham in his blog says that Gmail, in particular, connects to the hot spot primarily through Javascript, and not SSL, and this allows you to use the service to read temporary files and gain access to someone else's email. The same may apply to Amazon.com and other Web 2.0 sites.
    Read more

    Also popular now: