back to article Gmail, Outlook.com and e-voting 'pwned' on stage in crypto-dodge hack

Security researchers say they have developed an interesting trick to take over Gmail and Outlook.com email accounts - by shooting down victims' logout requests even over a supposedly encrypted connection. And their classic man-in-the-middle attack could be used to compromise electronic ballot boxes to rig elections, we're told …

COMMENTS

This topic is closed for new posts.
  1. g e
    FAIL

    " change your password without re-typing the old one"

    Ahhh Microsoft.

    You're so mercifully free of the ravages of Best Practice

    1. Charles 9

      Re: " change your password without re-typing the old one"

      Odd. Perhaps it's just Outlook, but the last time I tried to change a Microsoft account password, it wouldn't let me until I responded to the automated e-mail sent to another e-mail account.

  2. Natalie Gritpants

    So what should we do? Is logging out then trying to log in again and using the wrong password good enough?

    1. Irongut

      Don't connect to wifi networks you don't know. Don't use a shared computer. Lock your work computer when leaving your desk. All of these should be standard procedure anyway.

      These attacks seem pretty minor to me (apart from the e-voting case), the attacker needs physical access to the network and computer. If a hacker has physical access to your computer you're screwed anyway.

      1. Anonymous Coward
        Anonymous Coward

        "Don't connect to wifi networks you don't know. Don't use a shared computer"

        So you go travelling to a few countries but have to take your own laptop with you and only use roaming data to connect?

        Easier just to refresh the page after logging out (or press the back button) and see if you still have access.

        I would guess always shutting down the browser afterwards will also work.

        1. Yet Another Anonymous coward Silver badge

          Not safe to use roaming data - they could spoof the cell.

          If you go abroad it's safest to unspool your own fibre - and don't drink the water

          1. DropBear
            Devil

            ...not forgetting to tie a few empty tin cans to your end, so you can detect if they're trying to cut the fibre for a literal man-in-the-middle attack.

        2. Mark 65

          VPN back to base before browsing?

      2. Robert Helpmann??
        Childcatcher

        Pretty Minor

        ...the attacker needs physical access to the network and computer.

        That is not what was described. This is a man-in-the-middle attack which requires access to the network, not the computer. The point of using a "naughty" access point is to get a victim to attach to the wrong network, so advice to the effect of not connecting to networks you don't know if good in as much as the target notices the cloned name showing up is somehow different than expected.

        As far as G-mail requiring that the old password be typed in before changing it, I wonder how difficult it would be to display a bogus page requesting the current password be input. Not everyone would bite, but this sort of thing is a numbers game: attack millions, but only affect thousands. It still adds up.

  3. John D. Blair
    Alert

    ARP spoofing means you don't need to install/compromise a router

    The article fails to mention that you don't actually need to install special man-in-the-middle hardware such as a rogue wifi AP or ethernet router. You can use ARP spoofing to perform man-in-the-middle attacks as long as you have access to the same subnet as the target.

    http://en.wikipedia.org/wiki/ARP_Spoofing

  4. Jones

    I just tried to change my outlook password, and it DOES require me to enter the current one in order to set a new one...

  5. Tannin

    What to do? Just close the browser.

  6. Anonymous Coward
    Anonymous Coward

    I have to ask this (I also know it will get a lot of down votes) but who in their right mind uses a browser foe email? Maybe it has become the fashion now to use html in emails, again, why?

    1. Old Handle

      There are some cases where webmail is clearly the best solution, such as if you're traveling without your own device. But aside from that, I think most people are just more comfortable in a web browser. Traditional email programs feel rather clunky and require (minimal) technical knowhow to set up correctly.

  7. Tim Brown 1
    Black Helicopters

    But surely...

    isn't it just easier to ask the NSA or GCHQ for copies of all the target's emails?

    1. druck Silver badge
      Stop

      Re: But surely...

      Getting really old now.

  8. Anonymous Coward
    Anonymous Coward

    One small flaw...

    Man in the middle

    It's hardly a surprise that as soon as you get near-physical contact to a victims device then you'll get a lot of options to perform malicious attacks. One of the reasons why you should be careful with using your tablet or phone out in the open while you have no clue what (or if) wifi networks are being used.

    Of course the majority doesn't care at all, as long as they can read their e-mails, tweets and do some online banking.

  9. TheOldFellow

    They can have mine.

    I only talk about taking over the world on my blogs, never on email, so I'm probably safe.

This topic is closed for new posts.