Full Disclosure mailing list archives
Social flaws / vulnerabilities in 'Last account activity' on Gmail
From: n3td3v <xploitable () gmail com>
Date: Sat, 20 Sep 2008 14:38:20 +0100
This service allows a legitimate user to observe the last 5 sessions of which users logged in to the account, this is known as the 'Last account activity' feature. While this service is helpful to know if your account has been accessed by intruders, it also allows the intruder to get the IP addresses of legitimate users of the account. With this IP address they can get clues about the authorised account holder. If I work in a sensitive government job, the intruder can know this using this feature. If I have been in an area, place in the world which may incriminate, or tip a spouse off about a relationship cheat, this will show up the locations of which the authoritised users have been. You don't always want your IP address listed on Gmail, espeically when Gmail is usually obscure about such information. What I found myself doing the other day was this: I wanted to log in to check my email on a computer, however I knew this IP address of the computer would be publically listed for those who had authorised access to the Gmail account. What happened was, I wasn't able to check my email using Gmail, because it would have given away vital information to any intruder. Gmail 'Last account activity' shows the IP addresses of person or person(s) logging into an account, however after someone has logged into your account even if they are allowed to or not have your IP address and location. This is bad news for computers which don't have a proxy that obscures where you are, it can allow an enemy, spouse, and others not only to know your general whereabouts, but in some cases if using a lan, they can find out your specific department of which you work. And in many cases, the persons can locate the computer you used on the lan, this is very damaging information for people working in sensitive security jobs, i'm very unhappy now about this 'Last account activity' feature, it has caught me short and prevented me from using my email account over the last day or so, until I could get back to a safe computer. This is unacceptable of Gmail to have a list of IP addresses viewable by all, including the bad guys who may get access to the account through malicious means. It is not always easy to use an 'on the spot' proxy if you are in a location you don't want to come up on the 'Last account activity' list. These are my concerns, do what you want with them, I for one not happy about being restricted in such a way about what computers I can use and where. The cons of knowing which IP addresses log into your account outweigh the pros. Sure, you know someone has accessed your account, by then its too late anyway, and they now know where you are, your IP addresses, other employment status information. This feature enables unauthorised users more than it enables legitmate users. I want this feature scraped with immediate effect. This feature has more harming value to the legitimate owner of the account than it does help them. I find myself, if not on a safe computer having to dodge Gmail while 'away' from the safe computer. Keep the 'Last account activity' feauture for responsible users of Google Inc and law enforcement know which IP adddresses are being used with the acocunt, but not to everyone who has account access, including those who manage to gain access to the account by malicious means. This feature could damage relationships, incriminate, pose a national security issue for those in sensitive jobs. And if I haven't logged into my account for several days, then it may also give signs to somebody i'm somewhere im not supposed to be and raise suspicion amoung spouses, or help the bad guys in some way. In short, this feature is restricting peoples use of the Gmail service, not empowering them. Sure it empowers the bad guys, but not the legimate owner of the account or one of them, who may have access to the account. There isn't a feature on the gmail login, that is a check box that says 'don't show my ip address this session in the last account activity list' and such a feature would be ridiculous anyway, because it would be used by the bad guys to hide. In short, this feature is useless, and there is no work around for legitmate account holders to withhold their IP address from the 'Last account activity' feature. Time to scrap this feature, its full of social flaws, which is only empowering bad guys. Move the feature back-end so only Google and law enforcement can know the 'Last account activity' not, other members of your work force, your spouse, or random intruders who don't have a law enforcement or Google maintainence reason for having that sort of IP information. http://mail.google.com/support/bin/answer.py?ctx=%67mail&answer=45938 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Social flaws / vulnerabilities in 'Last account activity' on Gmail n3td3v (Sep 20)