Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Google Mail vulnerable to sidejacking despite SSL

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

malware-help0037-12-jan-08.jpg"According to security researcher and CEO of Errata Security Robert Graham, Google’s JavaScript code makes HTTP requests in the background via an XMLHttpRequest. By default, these requests are SSL-encrypted—but if SSL fails, they change to nonencrypted mode. When a user attempts to connect to a WiFi hotspot, Google Mail attempts to connect with SSL both enabled and disabled. Even if the attempt fails, session-ID cookies are still transmitted to the router, and can therefore be captured by anyone sitting nearby with an appropriately configured software suite.

Graham himself references Google Mail as an example of this problem, but it’s far from the only site affected, and the https:// alternative it offers is still better than what you can get on other sites. Facebook, MySpace, and Yahoo Mail are all affected by the issue, as are other "Web 2.0" sites." – Content courtesy of Researcher: Google Mail vulnerable to sidejacking despite SSL

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: