Full Disclosure mailing list archives
Re: Google Accounts Security Vulnerability
From: "Michael J. Gray" <mgray () emitcode com>
Date: Tue, 15 May 2012 18:33:53 -0700
I received this message from a Google employee. I figure since it's a response to my post, it should go here as well. It seems that by design there are cases where this exact situation can happen. But I am very curious as to why they would ever permit this? In the situation I had, it involved an account logged on strictly from one state in the US to suddenly an IP coming from Israel and I was able to circumvent the security questions with the method described. From: Daniel Margolis [mailto:dmargolis () google com] Sent: Monday, May 14, 2012 9:53 AM To: mgray () emitcode com Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability Hi, Michael, I work on this system. There are some cases where this exact thing can happen by design, but I would love to confirm that that's what happened and that we don't have some other bug I don't know about. Would you be willing to give me the account name to allow me to look at our logs and determine what happened here? Thanks, and thanks for noticing this and taking the time to report it. Dan From: Michael J. Gray <mgray () emitcode com> Date: Sat, May 12, 2012 at 4:22 AM Subject: [Full-disclosure] Google Accounts Security Vulnerability To: full-disclosure () lists grok org uk Effective since May 1, 2012. Products Affected: All Google account based services Upon attempting to log-in to my Google account while away from home, I was presented with a message that required me to confirm various details about my account in order to ensure I was a legitimate user and not just someone who came across my username and password. Unable to remember what my phone number from 2004 was, I looked for a way around it. The questions presented to me were: Complete the email address: a******g () gmail com Complete the phone number: (425) 4**-***7 Since this was presented to me, I was certain I had my username and password correct.
From there, I simply went to check my email via IMAP at the new location.
I was immediately granted access to my email inboxes with no trouble.
From there, I attempted to log-in to my Google account with the same
username and password. To my surprise, I was not presented with any questions to confirm my identity. This completes the steps required to bypass this account hijacking counter-measure. This just goes to show that even the largest corporations that employ teams of security experts, can also overlook very simple issues. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google Accounts Security Vulnerability, (continued)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 15)
- Re: Google Accounts Security Vulnerability Mateus Felipe Tymburibá Ferreira (May 16)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 15)
- Re: Google Accounts Security Vulnerability Shreyas Zare (May 15)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 16)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 16)
- Re: Google Accounts Security Vulnerability Gage Bystrom (May 16)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 17)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
- Re: Google Accounts Security Vulnerability Michael Gray (May 18)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 18)
- Re: Google Accounts Security Vulnerability Michael Gray (May 18)
- Re: Google Accounts Security Vulnerability Dan Kaminsky (May 18)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 19)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 20)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 20)