HOWTO – Protect GMail from session snatching


By default, Google Mail sets a session cookie that doesn’t have the secure flag, meaning that if you log in to GMail, leave, and later return to the unencrypted “http://” URL (instead of “https://”), your browser will transmit your session information in plain-text to the server. This problem gained some attention last year and we mentioned a couple of strategies to get around the problem, either by using a Firefox plugin, or by only using GMail and logging out before browsing other sites.

A tool was recently released called Surf Jack, which is demonstrated in the video above. Surf Jack makes it incredibly easy to steal the credentials from another user’s GMail session. An attacker could take this into a typical coffee shop, wait for someone to check their mail, and then harvest their session. This gives the attacker complete access to anything confidential that the victim may have in their inbox.

Thankfully, since the problem was identified last year, Google added an additional setting in the GMail settings panel that fixes the problem. It looks like this:


If you go into the Settings panel, choose “Always use https”, and save your changes, GMail will change its default behavior and use the secure flag on its session cookie. From that point forward, you’ll no longer be vulnerable to GMail session snatching, regardless of what machine or browser you use to check your mail.

I’m not sure why this isn’t the default value, but it isn’t, so go change it.

Surf Jack – HTTPS will not save you

5 thoughts on “HOWTO – Protect GMail from session snatching

  1. Peteris Krumins says:

    May I suggest to take a look at my Free Science Online blog?

    I have been blogging about free video lectures on the net for more than 2 years now! I have collected video lectures in physics, mathematics, computer science, engineering, biology, chemistry and many other fields.

    It’s here:

    Peteris Krumins

Comments are closed.

Discuss this article with the rest of the community on our Discord server!


Maker Faire Bay Area 2023 - Mare Island, CA

Escape to an island of imagination + innovation as Maker Faire Bay Area returns for its 15th iteration!

Buy Tickets today! SAVE 15% and lock-in your preferred date(s).