Google Mail Security

Every year, hackers gather at the DefCon convention in Las Vegas to show off their latest tools. At the last DefCon event, one of the attendees, 'Hamster' showed off how the cookies sent by your computer when signing into a Google account can be copied, allowing the account to be cloned by the hacker, and all the implications that carried.

I'm pretty sure this happened to me whilst travelling through London's Heathrow Airport recently. All was well when I boarded the flight home, but on landing, I had lost access to my Gmail account, the principle email account I use. A new password was in place, the secondary email (for password recovery) had been altered, and my security questions wiped.

Google carries more of my online service than any other company. It carries my email, and I rely on the auto-complete for many addresses; Google Docs hosts a number of shared documents for myself and projects I'm involved in; and Google Calendar gives me access to the timetable of the community radio station I'm involved in. In short, not only could I not get access to my day to day life, or three years of archives... someone else had.

Luckily I've never committed any passwords or financial information into Gmail - so beyond a failed attempt to get into eBay and PayPal, I didn't suffer any financial damage. Google returned access to me within 48 hours of reporting the account as 'compromised,' but it's a timely process that, given the number of people using Google for business critical tasks, you can't take for granted will work in your favour. So what should you be doing?

Gather information

If your account is compromised, Google's Help Centre will be looking for information to prove that you are the owner. Glance at this form just now and if you can't answer all the questions (without looking at your Google account) then find them out, write them down and keep it somewhere safe (and not in a Google-based repository).

My major concern, if I had to start from scratch again, was my contacts and email addresses. Gmail allows you to export these as a vCard or CSV file - click on Contacts on the left hand side of the web interface to get this option. There's no reason not to get this file on your hard drive today.

Be careful when browsing

While Google signs you in via a secure web page, the online applications will use regular http, which the RABBITT hack (as detailed by Hamster from DefCon) exploits. The simple workaround is for you to always type (note the s after http) when logging into Gmail, and similarly forcing https with the other services. This will keep the entire session on a secure http connection, not just the login. It's always important to log out as well, to end the session and effectively 'expire' your connection.

The exploit requires you to be browsing over Wi-Fi, so crowded and popular hotspots (such as Heathrow...) should be avoided. If you have to check your mail, consider using Google's java client for a smartphone, or using a POP3/IMAP mail client rather than the web browser interface. If wireless connectivity is essential, consider investing in a 3G data modem for use in your country of origin. In the UK, monthly subscriptions start at 10 for 3G data services, including the hardware needed to connect.

Trapdoors for when it goes awry

And what should you do if it happens to you? Well the first is to report it to Google as soon as possible - and keep a note of what you send via the forms. But to keep everything running, there are two 'trapdoors' you might want to consider putting in place.

The first is to not give out your Gmail address, but rather an email address you control (maybe on a private domain) that simply forwards everything received into your Gmail account. If you loose access to the account, then you can point your forwarding address to somewhere that is accessible, ensuring access to new incoming email is not interrupted while you recover access to Gmail.

The second is to have Gmail forward every mail received to another email box. Of course this can be switched off if your account is compromised, but if you are simply locked out for 24 hours, you'll be able to carry on receiving mail.


It's worth pointing out that Gmail, like many Web 2.0 sites, is still in beta, and therefore is still 'use at your own risk'. Google makes no promises on data integrity at all, and reserve the right to delete your account with no notice or reason. While it may be one of the better online email services, to rely on it for business reasons is not wise.