Full Disclosure mailing list archives
Re: Google Accounts Security Vulnerability
From: Alex Buie <abuie () kwdservices com>
Date: Sun, 13 May 2012 12:27:25 -0400
This reminds me of my bank, where the password can only be 12 characters long and only alphanumeric, but they compensate with "security questions", "Web pin" and SMS auth, where I would be perfectly content (and save time) sec-wise if they would just let me use my normal >24 character password scheme, and maybe the pin on unfamiliar computers. Oh, and their mobile app? Only requires my 4 number debit pin and no username. I'd be much more worried about losing my phone that's preauthed than someone scanning my brain and discovering the password. On May 12, 2012 7:59 AM, "Michael J. Gray" <mgray () emitcode com> wrote:
Effective since May 1, 2012.****
Products Affected: All Google account based services****
** **
Upon attempting to log-in to my Google account while away from home, I was
presented with a message that required me to confirm various details about
my account in order to ensure I was a legitimate user and not just someone
who came across my username and password. Unable to remember what my phone
number from 2004 was, I looked for a way around it.****
The questions presented to me were:****
Complete the email address: a******g () gmail com****
Complete the phone number: (425) 4**-***7****
** **
Since this was presented to me, I was certain I had my username and
password correct.****
From there, I simply went to check my email via IMAP at the new location.*
***
I was immediately granted access to my email inboxes with no trouble.****
** **
From there, I attempted to log-in to my Google account with the same
username and password.****
To my surprise, I was not presented with any questions to confirm my
identity.****
This completes the steps required to bypass this account hijacking
counter-measure.****
** **
This just goes to show that even the largest corporations that employ
teams of security experts, can also overlook very simple issues.****
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google Accounts Security Vulnerability, (continued)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 13)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 15)
- Re: Google Accounts Security Vulnerability Mateus Felipe Tymburibá Ferreira (May 16)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 15)
- Re: Google Accounts Security Vulnerability Shreyas Zare (May 15)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 16)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 16)
- Re: Google Accounts Security Vulnerability Gage Bystrom (May 16)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 15)
- Re: Google Accounts Security Vulnerability Jason Hellenthal (May 13)
- Re: Google Accounts Security Vulnerability Michael J. Gray (May 17)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
- Re: Google Accounts Security Vulnerability Michael Gray (May 18)
- Re: Google Accounts Security Vulnerability Mike Hearn (May 18)
- Re: Google Accounts Security Vulnerability Michael Gray (May 18)
- Re: Google Accounts Security Vulnerability Dan Kaminsky (May 18)
- Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 19)
- Re: Google Accounts Security Vulnerability Ferenc Kovacs (May 20)