At the recent Black Hat security convention, Robert Graham, the CEO of errata security demonstrated on camera how he hijacked a Gmail session and read the victim’s emails. He sniffed the Wi-Fi network for cookies and copied them into his notebook using his self-made tool, Hamster. The hack doesn’t need the victim’s username or password to work. It only requires an IP address.
This hack has been reported to work on almost any cookie-based web application. Therefore, other web-based email services Yahoo Mail and Hotmail is vulnerable as well.
The good news is that this hack can be easily prevented with the use of SSL or any other types of encryption. However, it is reported that Internet users seldom use these form of security measures when accessing the emails thus putting them at risk.
For example, accessing Gmail from http://mail.google.com will lead you to an SSL page where you insert your username and password. However, you will then be redirected to a non-SSL page to access your emails which puts you in a vulnerable situation.
On the other hand, accessing Gmail from https://mail.google.com (doesn’t work for me that’s why I’m using https://mail.google.com/mail?tab=wm instead) forces Gmail to redirect you to an SSL page after login.
There are some photos of the hacking demonstration available. Remember to always use an SSL page (https) whenever there is such an option. Protect yourself online.