Full Disclosure mailing list archives
Re: GMail complete anonymity possible via IPv6
From: Atul Agarwal <atul () secfence com>
Date: Thu, 5 Aug 2010 02:23:33 +0530
Interesting find. Not directly related but, GMail also shows no activity logs whatsoever (does not matter its IPv4/IPv6) if one tries to import contacts from a GMail account. Could be intentional by Google, as lots of websites import contacts (Facebook, Linkedin etc.) But anyone with evil intentions could have the complete contact list using any of the freely available contact importer script (http://svetlozar.net/page/Import-Gmail-Addresses.html should work fine), and the victim wont have a clue. Thanks, Atul Agarwal Secfence Technologies www.secfence.com On Wed, Aug 4, 2010 at 3:39 AM, Harry Strongburg <harry.fd () harry lu> wrote:
If a user connects to an account using gmail.com in IPv6, the "last account activity" feature will say "Unknown" as the IP address. Screenshot example: imgur: http://i.imgur.com/l4lFp.png Local mirror: http://harry.lu/files/secret/gmailipv6.png All "Unknown" entries in the screenshot are IPv6 connections, using a gmail username no one else knows of (just a garbage account I made to test this out), with a secure password (hence I am positive that there were no connections made other than mine). Erased entries in the screenshot are IPv4 addresses that I manually censored. 2001:4860:b009::53 is the current IPv6 address for gmail.com. It's an AAAA record on the domain, but I am posting it here if Google goes the easy route and just deletes the DNS entry. This should be a major security concern for Google and all Google/GMail users. With this bug, any user can connect to GMail using IPv6, access your account, and you will not be sure if it was an accidental IPv6 connection you did, or if someone had access to your account. If you casually use IPv6, you will be unable to tell if one of the "Unknown" connections were from your IPv6 range, or a remote intruder's. Stay classy, Google. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- GMail complete anonymity possible via IPv6 Harry Strongburg (Aug 04)
- Re: GMail complete anonymity possible via IPv6 Atul Agarwal (Aug 04)
- Re: GMail complete anonymity possible via IPv6 Christian Sciberras (Aug 04)
- Re: GMail complete anonymity possible via IPv6 Atul Agarwal (Aug 04)