Full Disclosure mailing list archives
Re: Google Accounts Security Vulnerability
From: Ferenc Kovacs <tyra3l () gmail com>
Date: Tue, 15 May 2012 21:46:23 +0200
I don't know much about the verification mentioned here, but google/gmail has a 2-step verification, which solves the problem a little bit better imo. When you try to log in from a new computer you will be prompted for a code which is sent via sms to your phone. And that is the only place where you can log in with your google user+pass, every other application requires an application specific password, which can be only generated after you successfully log in into the web interface(with an exception: I remember that trying to add my google account to my android phone triggered an application specific password to be sent via sms).. So if the 2-step verification is turned on, you won't compromise your account instantly, the attacker has to have access either to your phone, or a device which is already on your trusted device list.. http://support.google.com/a/bin/answer.py?hl=en&answer=175197 On Tue, May 15, 2012 at 9:32 PM, Thor (Hammer of God) <thor () hammerofgod com>wrote:
Logging on to IMAP mail as one would be doing hundreds of times per day is not going to reset the web cookie. If that is what the OP is reporting, I would have to question if his recollection is correct since, by that logic, the password reset feature would never be activated since any other IMAP logon would clear it. **** ** ** If the user logged in, and was presented with the questions as stated, then it probably cleared any requirement since he would have to accept that. Unless he is saying that when presented with the questions he purposefully did not put them in and tried to logon to IMAP which I find odd.**** ** ** Regardless, if you already know the username and password for the email, it doesn’t matter anyway no does it? You could always get the mail via IMAP or POP or whatever options were configured in gmail. There wouldn’t be any need to go to the web interface in the first place. **** ** ** Now that I know I’m not missing anything, I’ll just let this one die on the vine. **** ****
-- Ferenc Kovács @Tyr43l - http://tyrael.hu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google Accounts Security Vulnerability Michael J. Gray (May 12)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 13)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 15)
- Re: Google Accounts Security Vulnerability Mateus Felipe Tymburibá Ferreira (May 16)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 15)
- Re: Google Accounts Security Vulnerability Shreyas Zare (May 15)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 16)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 16)
- Re: Google Accounts Security Vulnerability Gage Bystrom (May 16)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 13)
- <Possible follow-ups>
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 16)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 17)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
- Re: Google Accounts Security Vulnerability Michael Gray (May 18)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 17)