Re: Google Accounts Security Vulnerability

[Ferenc Kovacs <tyra3l () gmail com>]

is it me, or you aren't reading the mails that you are replying to?

On Sat, May 19, 2012 at 7:28 PM, Thor (Hammer of God)
<thor () hammerofgod com>wrote:

>  I tried, and it didn’t work (couldn’t repro).****
>
> ** **
>
> None of this matters – if you have username and password, you can check
> mail via POP3 or IMAP.   Last time I checked, that was “by design.”   If
> anyone is saying this is some sort of vulnerability because someone
> “happens across your username and password” then they are in the wrong
> business.****
>
> ** **
>
> Michael – for you to make these claims, get Google involved, and post
> their replies here but refuse to give them your username (which will be on
> every email you send out) so they can troubleshoot is really a waste of
> time.****
>
> ** **
>
> Your initial point of “even the big companies with teams of security
> experts have security vulnerabilities” seems to shrink a bit when they
> illustrate concern with the issue yet you refuse to provide the simplest of
> information.   I not sure what other expectations one would have of an
> organization.  ****
>
> ** **
>
> *[image: Description: Description: Description: Description: Description:
> Description: Description: Description: Description: TimSig]***
>
> * *
>
> *Timothy “Thor”  Mullen*
>
> *www.hammerofgod.com*
>
> *Thor’s Microsoft Security Bible<http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727>
> *
>
> ** **
>
> ** **
>
> *From:* full-disclosure-bounces () lists grok org uk [mailto:
> full-disclosure-bounces () lists grok org uk] *On Behalf Of *Dan Kaminsky
> *Sent:* Friday, May 18, 2012 1:03 PM
> *To:* Michael Gray
> *Cc:* full-disclosure () lists grok org uk
>
> *Subject:* Re: [Full-disclosure] Google Accounts Security Vulnerability***
> *
>
> ** **
>
> Surely you can create a sock puppet for debugging purposes.****
>
> On Thu, May 17, 2012 at 11:43 AM, Michael Gray <mgray () emitcode com> wrote:
> ****
>
> I'm not interested in providing that information. You can reproduce it
> without knowing my user name.****
>
> On May 17, 2012 8:45 AM, "Mike Hearn" <hearn () google com> wrote:****
>
> If you provide the name of the account you're logging in to, we can go
> take a look what's happening.
>
> On Thu, May 17, 2012 at 5:29 PM, Michael Gray <mgray () emitcode com> wrote:
> > Regardless of how you say it works, I can bypass it every time it would
> > seem. Again, by using the method in my original post. It's likely you
> have a
> > bug if this isn't the functionality you're after.
> >
> > I appreciate the statistics but they mean little to me.
> >
> > Thank you for taking the time to respond. I hope my suggestions and
> findings
> > will assist you in correcting these issues
> >
> > On May 17, 2012 5:51 AM, "Mike Hearn" <hearn () google com> wrote:
> > > I understand your concerns, however they are not valid. You can be
> > > assured of the following:
> > >
> > > 1) We do not see this system as a replacement for passwords. If we
> > > block a login the user is notified and asked if it was them, if it
> > > wasn't we ask them to pick a new password. In very high confidence
> > > cases we will immediately force the user to choose a new password,
> > > because passwords are still the first line of defense.
> > >
> > > 2) We do not see this system as a replacement for 2-factor
> > > authentication. However the reality is that the vast majority of our
> > > users do not use 2-factor authentication and this is unlikely to
> > > change any time soon. 2SV imposes a significant extra burden on the
> > > user such that despite heavy promotion many users refuse to sign up,
> > > and of those that do, many choose to unenroll shortly afterwards.
> > > Therefore we also provide this always-on best effort system as well.
> > >
> > > 3) In fact it is very effective at stopping the large, botnet driven
> > > types of attacks we see on a daily basis and so saying it doesn't add
> > > any security is wrong. Since going live the system has successfully
> > > defended tens of millions of users who have a compromised password. A
> > > single unrepresentative data point based on one account isn't enough
> > > for you to judge the utility of the system, whereas we can clearly see
> > > the stopped campaigns (and drop in number of attempts).
> > >
> > > That said, if you have friends and relatives who use Google and you'd
> > > like to to make them more secure, by all means encourage them to set
> > > up two-factor authentication.
>
>
>
> --
>
> Mike Hearn | Senior Software Engineer | hearn () google com | Account
> security team****
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/****
>
> ** **
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/