- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
August 05, 2007 | Comments: (0)
Hacking Gmail and other insecure SSL sites
Rob Graham demonstrated hacking Google's gmail by sniffing the unprotected cookie.
Click here for the article.
Graham showed his hack at the Black Hat USA 2007 conference last week. He demonstrated his method by taking over some innocent conference goer's gmail account.
Essentially, the hack works by sniffing the user's web site cookie in transit to the user before SSL/TLS has been enabled. Stealing the cookie, the intruder can now impersonate the user after the user successfully logs in. The vulnerability happens because SSL/TLS is not enabled until after the user's cookie is passed, instead of before like it should.
Posted by Roger Grimes on August 5, 2007 07:45 PM
RATE THIS ARTICLE:
-
- COMMENTS
