Thursday, 26 June 2008

Login without password- It's Ultimate Hacking

Do You still Think that You are safe if you're using email sites like Gmail or Yahoo, and they can't be hacked!!
If so Sorry, have to update yourselves!!!
"Hackers Dont Need Passwords To enter Your Mail account"

The above thing is proved by Robert Graham (CEO Errata Security) at his presentation on Web 2.0 hijacking presentation at Black Hat 2007

Mr. Robert Graham

The audience erupted with laughter and applause when Graham used his tools to hijack someone’s Gmail account during an unscripted demo. The victim in this case was using a typical unprotected Wi-Fi Hotspot and his Gmail account just popped on the large projection screen for 500.

Rob demonstrated to a live audience how he can successfully hack into web based email programs like GMail, Yahoo Mail! or Hotmail using the IP Address and user name (login) without requiring any password.

Let's not go in the very technical details but he used some sniffing tools called Ferret (to copy the GMail cookies to his computers) and Hamster (to use the cookies in his browser). [Details at ZDNet, TG Daily]

You Can Stop persons like Graham??
So what can we do to prevent someone else from reading your mails on yahoomail and on Gmail?

Rob's method works when you are using the HTTP mode to access your email ( Therefore the trick is to always use Secure Login.

Here is a simple thing which you can do to safeguard your email in public wi-fi hot spots- Use https:// instead of the default http://- the entire session will be encrypted and the cloning cookies method will fail:

For GMail:
For iGoogle:
For basic HTML version
of GMail -

You can also install the Customize Google Firefox extension, that will always force the SSL mode in GMail incase you forget to manually type the https:// GMail URLs.

It is highly recommended also because it will also encrypt your other google services to open in SSL mode, like Google Docs, Google Reader, Google Calander, Google Web history, iGoogle and there are many more.

For Yahoo mail, it is recommended to use the "Secure" mode link, that's just beneath the 'sign in' button

1 comment:

  1. Mr. Grahmn is wrong on last part that https is secure as well because a tunneling method can be attempted even if it's secure, agreed it might take time but possible chance with tunneling it can still work.


Related Posts with Thumbnails