How To Hack Gmail Account & How To Protect Your Gmail AccountBy Angsuman Chakraborty, Gaea News Network
Wednesday, August 20, 2008
1. How can you hack GMail account?
2. How can you protect your GMail account from hackers?
Hackers at Defcon demonstrated a tool to hack into GMail accounts by snooping unencrypted data (man-in-the-middle attack) with cookie which Google GMail uses for everything other than login by default.
Last week Google introduced the ability to optionally encrypt any transmission to / from GMail and not just the login sequence. Previously GMail used to encrypt the login sequence only. All other data was transmitted unencrypted over the wire making such hacking possible. Every email, every article that you are reading on your GMail account is transmitted unencrypted over the web.
This makes it possible for an attacker sniffing traffic on the network to insert an image served from https://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks.
Mike Perry, the San Francisco based reverse engineer who developed the GMail hacking tool is planning to release it in two weeks. He is not happy how Google didn’t inform its users about the seriousness of the problem. Effectively anyone with basic networking knowledge can implement the hack. It could be your employer, your angry girlfriend or your curious neighbor or just any damn script-kiddie with too much time on his hands.
How can you protect your GMail account from hacking?
The solution is surprisingly simple. After logging in to GMail go to Settings (General tab). At the bottom of the page you will notice Browser Connection. Change it to Always use https. Now save the settings. In Google’s words:
To enable this feature in Gmail:
- Sign in to Gmail.
- Click Settings at the top of any Gmail page.
- Set ‘Browser Connection’ to ‘Always use https.’
- Click Save Changes.
- Reload Gmail.
That’s all you need to protect your GMail account from getting hacked. However there are few caveats.
How securing GMail can affect you?
- GMail may become slightly slower. Personally I think it is an acceptable cost for security but you decide.
- Gmail Notifier users must download a patch for GMail Notifier (Gmail Notifier is a downloadable application that alerts you whenever you have new Gmail messages) to work with this setting. To install the patch follow these steps:
- Download the patch (.zip).
- Open the folder.
- Double-click the notifier_https.reg file.
- Click yes when you’re asked to confirm if you want to add the information to the registry.
- Restart the Notifier.
- You may see errors in the Gmail for mobile application from enabling this setting. The specific errors vary by device, but in general you’ll see ‘unexpected error’ or have the app suddenly quit on you.If you have the latest version of the app (1.5) (If you need to find the version number of the application that’s installed on your mobile phone, please select Menu > More > Help. The version number and platform will be displayed.), you can work around these errors by also enabling the app’s own ‘Always use secure network connections (slower performance):‘ setting from your device and then signing out:
- Select Menu > Go to > Settings.
- Check the Always use secure network connections (slower performance): option.
- Make sure the ‘Always keep me signed in’ option is NOT checked (in order for you to sign out).
- Save your changes.
- Select Menu > Exit Gmail.
- Restart the app and sign in.
Tags: GMail, GMail for Mobile, GMail Hack, GMail Hacking, Google Mail, Security, SSL