Full Disclosure mailing list archives
Re: [Full-disclosure] Social flaws / vulnerabilities in 'Last account activity' on Gmail
From: redb0ne () hush com
Date: Sat, 20 Sep 2008 13:36:16 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 20 Sep 2008 09:38:20 -0400 n3td3v <xploitable () gmail com> wrote:
This service allows a legitimate user to observe the last 5 sessions of which users logged in to the account, this is known as the 'Last account activity' feature.
Uh, so what? Most remote-login systems allow you to do that.
While this service is helpful to know if your account has been accessed by intruders, it also allows the intruder to get the IP addresses of legitimate users of the account. With this IP address they can get clues about the authorised account holder.
If someone gets access to my email, the last thing I am worried about them getting is my IP address. My email account has much more sensitive and revealing information that would be useful to an attacker.
If I work in a sensitive government job, the intruder can know this using this feature.
If you work in a sensitive environment and are connecting to a webmail provider then that alone is a problem.
If I have been in an area, place in the world which may incriminate, or tip a spouse off about a relationship cheat, this will show up the locations of which the authoritised users have been.
It'll give you the country, possibly the state, that is about it. You'd need a court order to get any more information and good luck with that. <more boring, baseless claims>
In short, this feature is useless, and there is no work around for legitmate account holders to withhold their IP address from the 'Last account activity' feature.
Useless? I value knowing if someone else is accessing my email account via that feature, much more than I worry about someone finding my IP address.
Time to scrap this feature, its full of social flaws, which is only empowering bad guys.
No, not time to "scrap this feature". This is another sad attempt at attention whoring, but you'll find that more people care about the risks of NOT having this feature than they care about the fact someone could find the IP address you connected to, which in this day and age is trivially available information. Please, leave the real research to the experts and stop trying to whore attention. -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkjVNJIACgkQGwcl4JwqQeBlgwP+KaNbh8Su5fsYzqD8LNfqemQZGlIT N/vQLgXfWeGia7HqLVpWYzSG4ZYdU5+rRq6oBtnBlnriNjUFXNOda4nNXXJiGKpVCZj+ QLXti/uDN8GuDQvKxucjrwdaQrmkdpzBWnhBcfqRq6LMkMu+ZYEwsWLI+BMbwXAIcF1s fsMKh4Y= =AEbA -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Full-disclosure] Social flaws / vulnerabilities in 'Last account activity' on Gmail redb0ne (Sep 20)
- Re: Social flaws / vulnerabilities in 'Last account activity' on Gmail n3td3v (Sep 20)
- Re: Social flaws / vulnerabilities in 'Last account activity' on Gmail Razi Shaban (Sep 20)
- Re: Social flaws / vulnerabilities in 'Last account activity' on Gmail AaRoNg11 (Sep 20)
- Re: Social flaws / vulnerabilities in 'Last account activity' on Gmail Razi Shaban (Sep 20)
- Re: Social flaws / vulnerabilities in 'Last account activity' on Gmail James Knuth (Sep 20)
- Re: Social flaws / vulnerabilities in 'Last account activity' on Gmail Robert Holgstad (Sep 20)
- Re: Social flaws / vulnerabilities in 'Last account activity' on Gmail n3td3v (Sep 20)
- Re: Social flaws / vulnerabilities in 'Last account activity' on Gmail Valdis . Kletnieks (Sep 20)
- Re: Social flaws / vulnerabilities in 'Last account activity' on Gmail n3td3v (Sep 21)
- Re: Social flaws / vulnerabilities in 'Last account activity' on Gmail n3td3v (Sep 20)