Full Disclosure mailing list archives
Re: Google Accounts Security Vulnerability
From: Shreyas Zare <shreyas () secfence com>
Date: Wed, 16 May 2012 01:28:12 +0530
On Wed, May 16, 2012 at 1:02 AM, Thor (Hammer of God) <thor () hammerofgod com>wrote:
Regardless, if you already know the username and password for the email, it doesn’t matter anyway no does it? You could always get the mail via IMAP or POP or whatever options were configured in gmail. There wouldn’t be any need to go to the web interface in the first place.
Hi, The verification process bypassed which the OP is talking about is basically put in place to protect victims of phishing attacks. The phishing attacker generally may not be in the same location as that of the victim. Gmail web interface asks questions (mentioned my OP) so that the attacker wont just get into the account with stolen credentials. Also note that IMAP and POP3 can be disabled (dont remember if both are disabled by default). So this bypass presents an interesting approach to attacker in case of IMAP being enabled. Regards, (If debugging is the process of removing bugs, then programming must be the process of putting them in --Edsger Dijkstra) Shreyas Zare Sr. Information Security Researcher Secfence Technologies http://www.secfence.com Follow me on twitter @shreyasonline <https://twitter.com/#%21/shreyasonline> Check out Secfence | Blog [http://blog.secfence.com]
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google Accounts Security Vulnerability Michael J. Gray (May 12)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 13)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 15)
- Re: Google Accounts Security Vulnerability Mateus Felipe Tymburibá Ferreira (May 16)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 15)
- Re: Google Accounts Security Vulnerability Shreyas Zare (May 15)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 16)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 16)
- Re: Google Accounts Security Vulnerability Gage Bystrom (May 16)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 13)
- <Possible follow-ups>
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 16)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 17)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
- Re: Google Accounts Security Vulnerability Michael Gray (May 18)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 18)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 17)