Today The Next Web posted an episode of BBC Watchdog where it was demonstrated how a GMail account was hacked through insecure (WEP) WiFi.

For those of you still wondering, I’d like to confirm that it is indeed possible to hack a GMail account over insecure WiFi: GMail does indeed always send your password through secure HTTP (SSL) so that this can’t be directly hacked, BUT, by default, the rest of your session happens through normal clear-text HTTP. The Watchdog episode of course gives absolutely no technical details, but it’s most probably the “sidejacking” attack first published by Robert Graham, where the attacker reads the cookies of the post-authentication HTTP traffic and uses them to fool GMail into thinking that they are in fact the legitimate owners attacked GMail account. This attack works on other webmail and -service providers too.