Google Mail vulnerable to sidejacking, even though it has SSL

According to security researcher and CEO of Errata Security Robert Graham:

Google’s JavaScript code makes HTTP requests in the background via an XMLHttpRequest. By default, these requests are SSL-encrypted—but if SSL fails, they change to nonencrypted mode. When a user attempts to connect to a WiFi hotspot, Google Mail attempts to connect with SSL both enabled and disabled. Even if the attempt fails, session-ID cookies are still transmitted to the router, and can therefore be captured by anyone sitting nearby with an appropriately configured software suite.

Full coverage

Written by pinolobu on February 3rd, 2008 with no comments.
Read more articles on news.

[+] Digg: Feature this article
[+] Del.icio.us: Bookmark this article
[+] Furl: Bookmark this article

Web attacks that target the clipboard (August 19th, 2008)
DNS cache poisoning vulnerability worse than feared (August 7th, 2008)
Citibank ATM breach highlights PIN security issues (July 31st, 2008)
DNS cache poisoning exploits has begun (July 28th, 2008)
ICANN’s icann.com and iana.com hijacked, but recovered in 20 minutes (July 12th, 2008)

No comments

There are still no comments on this article.

Leave your comment...

If you want to leave your comment on this article, simply fill out the next form:

You can use these XHTML tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> .

Google Mail vulnerable to sidejacking, even though it has SSL

Related articles

No comments

Leave your comment...

Identification

Article search

Sections

Last articles

Categories

Monthly archives

Favourite sites

Subscribe to this site