
" change your password without re-typing the old one"
Ahhh Microsoft.
You're so mercifully free of the ravages of Best Practice
Security researchers say they have developed an interesting trick to take over Gmail and Outlook.com email accounts - by shooting down victims' logout requests even over a supposedly encrypted connection. And their classic man-in-the-middle attack could be used to compromise electronic ballot boxes to rig elections, we're told …
Don't connect to wifi networks you don't know. Don't use a shared computer. Lock your work computer when leaving your desk. All of these should be standard procedure anyway.
These attacks seem pretty minor to me (apart from the e-voting case), the attacker needs physical access to the network and computer. If a hacker has physical access to your computer you're screwed anyway.
"Don't connect to wifi networks you don't know. Don't use a shared computer"
So you go travelling to a few countries but have to take your own laptop with you and only use roaming data to connect?
Easier just to refresh the page after logging out (or press the back button) and see if you still have access.
I would guess always shutting down the browser afterwards will also work.
...the attacker needs physical access to the network and computer.
That is not what was described. This is a man-in-the-middle attack which requires access to the network, not the computer. The point of using a "naughty" access point is to get a victim to attach to the wrong network, so advice to the effect of not connecting to networks you don't know if good in as much as the target notices the cloned name showing up is somehow different than expected.
As far as G-mail requiring that the old password be typed in before changing it, I wonder how difficult it would be to display a bogus page requesting the current password be input. Not everyone would bite, but this sort of thing is a numbers game: attack millions, but only affect thousands. It still adds up.
The article fails to mention that you don't actually need to install special man-in-the-middle hardware such as a rogue wifi AP or ethernet router. You can use ARP spoofing to perform man-in-the-middle attacks as long as you have access to the same subnet as the target.
http://en.wikipedia.org/wiki/ARP_Spoofing
There are some cases where webmail is clearly the best solution, such as if you're traveling without your own device. But aside from that, I think most people are just more comfortable in a web browser. Traditional email programs feel rather clunky and require (minimal) technical knowhow to set up correctly.
Man in the middle
It's hardly a surprise that as soon as you get near-physical contact to a victims device then you'll get a lot of options to perform malicious attacks. One of the reasons why you should be careful with using your tablet or phone out in the open while you have no clue what (or if) wifi networks are being used.
Of course the majority doesn't care at all, as long as they can read their e-mails, tweets and do some online banking.