Full Disclosure mailing list archives
Re: Google Accounts Security Vulnerability
From: "Michael J. Gray" <mgray () emitcode com>
Date: Tue, 15 May 2012 18:29:03 -0700
Ill clarify a bit. If you log on to your Google account from the website and it prompts you for additional security questions, you can circumvent this by simply checking mail via POP or what have you and then it adds your IP address to the list of recognized addresses. From: Thor (Hammer of God) [mailto:thor () hammerofgod com] Sent: Tuesday, May 15, 2012 12:33 PM To: Mateus Felipe Tymburibá Ferreira Cc: Jason Hellenthal; Michael J. Gray; full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] Google Accounts Security Vulnerability Logging on to IMAP mail as one would be doing hundreds of times per day is not going to reset the web cookie. If that is what the OP is reporting, I would have to question if his recollection is correct since, by that logic, the password reset feature would never be activated since any other IMAP logon would clear it. If the user logged in, and was presented with the questions as stated, then it probably cleared any requirement since he would have to accept that. Unless he is saying that when presented with the questions he purposefully did not put them in and tried to logon to IMAP which I find odd. Regardless, if you already know the username and password for the email, it doesnt matter anyway no does it? You could always get the mail via IMAP or POP or whatever options were configured in gmail. There wouldnt be any need to go to the web interface in the first place. Now that I know Im not missing anything, Ill just let this one die on the vine. Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig Timothy Thor Mullen www.hammerofgod.com Thor <http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/15974957 27> s Microsoft Security Bible From: Mateus Felipe Tymburibá Ferreira [mailto:mateustymbu () gmail com] Sent: Tuesday, May 15, 2012 12:21 PM To: Thor (Hammer of God) Cc: Jason Hellenthal; Michael J. Gray; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability I'm just copying the original message's part that probably answer your question (I did not test it...): ">From there, I attempted to log-in to my Google account with the same
username and password. To my surprise, I was not presented with any questions to confirm my identity. This completes the steps required to bypass this account hijacking counter-measure."
Mateus Felipe Tymburibá Ferreira, M. Sc. student at UFAM <http://portal.ufam.edu.br> CISSP <https://www.isc2.org/cissp/default.aspx> , OSCP <http://www.offensive-security.com/information-security-certifications/oscp- offensive-security-certified-professional/> , OSCE <http://www.offensive-security.com/information-security-certifications/osce- offensive-security-certified-expert/> , OSWP <http://www.offensive-security.com/information-security-certifications/oswp- offensive-security-wireless-professional/> <https://www.isc2.org/cissp/default.aspx> <http://www.offensive-security.com/information-security-certifications/oscp- offensive-security-certified-professional/> <http://www.offensive-security.com/information-security-certifications/osce- offensive-security-certified-expert/> <http://www.offensive-security.com/information-security-certifications/oswp- offensive-security-wireless-professional/> 2012/5/15 Thor (Hammer of God) <thor () hammerofgod com> I'm not sure I understand the issue here - the requirement for someone "happening to come across your username and password" is a pretext. Logging on to the web interface where you can change password and other personal information as well as verify existing site cookies affords the service the ability to check these sorts of things. But you logged on via IMAP, which is its own service just like POP3 or SMTP. These services can't check where you are or for the existence of a cookie, so I'm not really sure what your expectation is, or why this is being presented as an issue. Am I missing something? Timothy "Thor" Mullen www.hammerofgod.com Thor's Microsoft Security Bible -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Jason Hellenthal Sent: Saturday, May 12, 2012 9:32 AM To: Michael J. Gray Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability LMFAO! On Sat, May 12, 2012 at 04:22:30AM -0700, Michael J. Gray wrote:
Effective since May 1, 2012. Products Affected: All Google account based services Upon attempting to log-in to my Google account while away from home, I was presented with a message that required me to confirm various details about my account in order to ensure I was a legitimate user and not just someone who came across my username and password. Unable to remember what my phone number from 2004 was, I looked for a way around
it.
The questions presented to me were: Complete the email address: a******g () gmail com Complete the phone number: (425) 4**-***7 Since this was presented to me, I was certain I had my username and password correct.From there, I simply went to check my email via IMAP at the new location.I was immediately granted access to my email inboxes with no trouble.From there, I attempted to log-in to my Google account with the sameusername and password. To my surprise, I was not presented with any questions to confirm my identity. This completes the steps required to bypass this account hijacking counter-measure. This just goes to show that even the largest corporations that employ teams of security experts, can also overlook very simple issues.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- - (2^(N-1)) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google Accounts Security Vulnerability Michael J. Gray (May 12)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 13)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 15)
- Re: Google Accounts Security Vulnerability Mateus Felipe Tymburibá Ferreira (May 16)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 15)
- Re: Google Accounts Security Vulnerability Shreyas Zare (May 15)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 16)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 16)
- Re: Google Accounts Security Vulnerability Gage Bystrom (May 16)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 13)
- <Possible follow-ups>
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 16)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 17)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
- Re: Google Accounts Security Vulnerability Michael Gray (May 18)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 18)
- Re: Google Accounts Security Vulnerability Michael Gray (May 18)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 17)