Full Disclosure mailing list archives
Re: Google Accounts Security Vulnerability
From: "Michael J. Gray" <mgray () emitcode com>
Date: Sat, 19 May 2012 12:04:43 -0700
I was not stating that it was a vulnerability in the sense of someone can compromise your account with only your phone number. I was saying it's not doing its job in terms of what most people expect it to do. It provides a false sense of security. It's a security mechanism, it prevents people from logging onto accounts when they come from a location that is unrecognized as associated with the account. and it can be circumvented with little effort on an individual basis. Distributed attacks would have trouble with it, but could adapt to it. If distributed attacks are the only component of their threat model, then it's fine. Regardless, it's interesting and that's why it's here. On why I don't want to provide my email address to Google: It's a different email address which I don't want associated with this email address for various reasons. That is why I am not going to provide it. Your assumption that it's a simple piece of information and requires no effort to give out is correct, but the impact of the association is unwanted. The fact that Google can create a test account and reproduce the issue (as I have now done several times) tells me that they want the account information for some other purpose or that they're just being lazy. And as for your last comment related to my "initial point", it's not my initial point. My initial point was that there's a problem and that Google should fix it or verify that this is the intended behavior. I would expect an organization to be able to rig up some tests and sort it out in a week or so. If Google is doing that, then great. From: Thor (Hammer of God) [mailto:thor () hammerofgod com] Sent: Saturday, May 19, 2012 10:29 AM To: Dan Kaminsky; Michael Gray Cc: full-disclosure () lists grok org uk; Mike Hearn Subject: RE: [Full-disclosure] Google Accounts Security Vulnerability I tried, and it didn't work (couldn't repro). None of this matters - if you have username and password, you can check mail via POP3 or IMAP. Last time I checked, that was "by design." If anyone is saying this is some sort of vulnerability because someone "happens across your username and password" then they are in the wrong business. Michael - for you to make these claims, get Google involved, and post their replies here but refuse to give them your username (which will be on every email you send out) so they can troubleshoot is really a waste of time. Your initial point of "even the big companies with teams of security experts have security vulnerabilities" seems to shrink a bit when they illustrate concern with the issue yet you refuse to provide the simplest of information. I not sure what other expectations one would have of an organization. Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig Timothy "Thor" Mullen www.hammerofgod.com Thor <http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/15974957 27> 's Microsoft Security Bible From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Dan Kaminsky Sent: Friday, May 18, 2012 1:03 PM To: Michael Gray Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability Surely you can create a sock puppet for debugging purposes. On Thu, May 17, 2012 at 11:43 AM, Michael Gray <mgray () emitcode com> wrote: I'm not interested in providing that information. You can reproduce it without knowing my user name. On May 17, 2012 8:45 AM, "Mike Hearn" <hearn () google com> wrote: If you provide the name of the account you're logging in to, we can go take a look what's happening. On Thu, May 17, 2012 at 5:29 PM, Michael Gray <mgray () emitcode com> wrote:
Regardless of how you say it works, I can bypass it every time it would seem. Again, by using the method in my original post. It's likely you have
a
bug if this isn't the functionality you're after. I appreciate the statistics but they mean little to me. Thank you for taking the time to respond. I hope my suggestions and
findings
will assist you in correcting these issues On May 17, 2012 5:51 AM, "Mike Hearn" <hearn () google com> wrote:I understand your concerns, however they are not valid. You can be assured of the following: 1) We do not see this system as a replacement for passwords. If we block a login the user is notified and asked if it was them, if it wasn't we ask them to pick a new password. In very high confidence cases we will immediately force the user to choose a new password, because passwords are still the first line of defense. 2) We do not see this system as a replacement for 2-factor authentication. However the reality is that the vast majority of our users do not use 2-factor authentication and this is unlikely to change any time soon. 2SV imposes a significant extra burden on the user such that despite heavy promotion many users refuse to sign up, and of those that do, many choose to unenroll shortly afterwards. Therefore we also provide this always-on best effort system as well. 3) In fact it is very effective at stopping the large, botnet driven types of attacks we see on a daily basis and so saying it doesn't add any security is wrong. Since going live the system has successfully defended tens of millions of users who have a compromised password. A single unrepresentative data point based on one account isn't enough for you to judge the utility of the system, whereas we can clearly see the stopped campaigns (and drop in number of attempts). That said, if you have friends and relatives who use Google and you'd like to to make them more secure, by all means encourage them to set up two-factor authentication.
-- Mike Hearn | Senior Software Engineer | hearn () google com | Account security team _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google Accounts Security Vulnerability, (continued)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 17)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
- Re: Google Accounts Security Vulnerability Michael Gray (May 18)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 18)
- Re: Google Accounts Security Vulnerability Michael Gray (May 18)
- Re: Google Accounts Security Vulnerability Dan Kaminsky (May 18)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 19)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 20)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 20)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 20)
- Message not available
- Re: Google Accounts Security Vulnerability Daniel Margolis (May 21)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 17)
- Re: Google Accounts Security Vulnerability Jann Horn (May 21)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 21)
- Re: Google Accounts Security Vulnerability Kyle Creyts (May 22)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
- Re: Google Accounts Security Vulnerability coderman (May 18)
- Re: Google Accounts Security Vulnerability Jeffrey Walton (May 18)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 20)