Wired’s Threat Level blog covers the vulnerability in Google’s handling of SSL and session IDs.
One of the big stories at DefCon last year was a security researcher’s demonstration of wirelessly sniffing users’ session cookies while they accessed their e-mail accounts or conducted e-commerce transactions via wireless networks. The attack allowed a hacker access to the victim’s Gmail or Hotmail account without needing to decipher the user’s password.
Now the security researcher who presented that info has found that even using SSL HTTPS to access your Gmail account — which was touted at the time as a surefire way to protect Gmail users against such an attack — is vulnerable to this hack.
Additional coverage at The Register.