AdvertisingAdvertise Contact UsContact Visitors comments to Malware Help. OrgComments

Subscribe: EMail, IM, Twitter, Skype Subscribe to Malware Help. Org Full Post Feed Full Post Subscribe to Malware Help. Org Summary Feed Summary

Browse > Home / Email Security, Vulnerabilities / Google Mail vulnerable to sidejacking despite SSL

Google Mail vulnerable to sidejacking despite SSL

February 8, 2008 by Shanmuga  
Filed under Email Security, Vulnerabilities

Leave a comment

malware-help0037-12-jan-08.jpg"According to security researcher and CEO of Errata Security Robert Graham, Google’s JavaScript code makes HTTP requests in the background via an XMLHttpRequest. By default, these requests are SSL-encrypted—but if SSL fails, they change to nonencrypted mode. When a user attempts to connect to a WiFi hotspot, Google Mail attempts to connect with SSL both enabled and disabled. Even if the attempt fails, session-ID cookies are still transmitted to the router, and can therefore be captured by anyone sitting nearby with an appropriately configured software suite.

Graham himself references Google Mail as an example of this problem, but it’s far from the only site affected, and the https:// alternative it offers is still better than what you can get on other sites. Facebook, MySpace, and Yahoo Mail are all affected by the issue, as are other "Web 2.0" sites." - Content courtesy of Researcher: Google Mail vulnerable to sidejacking despite SSL

  • StumbleUpon
  • Digg
  • Reddit
  • del.icio.us
  • Facebook
  • MySpace
  • TwitThis
  • Google
  • Yahoo! Buzz
  • Live
  • YahooMyWeb
  • E-mail this story to a friend!

For more articles like this one, please subscribe to my RSS feed! or receive updates via Email, IM, Twitter, Skype.

You may also like to read

Comments

Feel free to leave a comment...
and oh, if you want a pic to show with your comment, go get a gravatar! or you can even subscribe to our comments feed.





Tags

More News, Articles from elsewhere