Re: Google Accounts Security Vulnerability

[Shreyas Zare <shreyas () secfence com>]

On Wed, May 16, 2012 at 1:02 AM, Thor (Hammer of God)
<thor () hammerofgod com>wrote:

>  Regardless, if you already know the username and password for the email,
> it doesn’t matter anyway no does it?  You could always get the mail via
> IMAP or POP or whatever options were configured in gmail.  There wouldn’t
> be any need to go to the web interface in the first place.
Hi,

The verification process bypassed which the OP is talking about is
basically put in place to protect victims of phishing attacks. The phishing
attacker generally may not be in the same location as that of the victim.
Gmail web interface asks questions (mentioned my OP) so that the attacker
wont just get into the account with stolen credentials. Also note that IMAP
and POP3 can be disabled (dont remember if both are disabled by default).
So this bypass presents an interesting approach to attacker in case of IMAP
being enabled.

Regards,

(If debugging is the process of removing bugs, then programming must be the
process of putting them in --Edsger Dijkstra)

Shreyas Zare
Sr. Information Security Researcher
Secfence Technologies
http://www.secfence.com

Follow me on twitter @shreyasonline <https://twitter.com/#%21/shreyasonline>

Check out Secfence | Blog [http://blog.secfence.com]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/