Fort Worth, TX (WiredPRNews.com)—It’s much too easy for hackers to intercept website communications over unsecured wireless networks, according to Mike Perry, a reverse engineer and developer at Riverbend Technology.
Perry, who does security research, created an exploit that would allow hackers to steal confidential data from users who are surfing sites such as Yahoo Mail, Facebook and Hotmail while surfing on unsecured Wi-Fi networks. The flaws appear in the session cookies and Secure Socket Layer (SSL) protocols.
Most sites don’t use the SSL past the log-in page, according to an Aug. 22, 2008 CNET article by Elinor Mills, and this “exposes the users’ cookies to theft via sniffing by someone else on the network.”
The second problem is with the secure and insecure modes of session cookies. The cookies, which check to see if the computer matches the supplied name and password, can be hijacked by a hacker if the SSL does not flag the cookies as secure. This security flaw allows the hacker to pose as the web surfer and steal information from bank and e-mail accounts.
Google Gmail users can set up automatic encryption, instead of typing in https://mail.google.com, for their communications between Gmail servers and browsers, according to the CNET article. “Google says it is rolling out the option not just for consumer Gmail users, but also for Google Apps enterprise users and has launched it for the premier edition of Google Apps so that communications with Google Docs, Calendar, and other included Google sites are encrypted.”
Perry emphasized that the danger of this kind of cyber theft is real and should be addressed by the major sites. See Perry’s blog for more information.
WiredPRNews.com — Technology News Distribution