Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Google Accounts Security Vulnerability

From: Ferenc Kovacs <tyra3l () gmail com>
Date: Tue, 15 May 2012 20:37:28 +0200
"From there, I attempted to log-in to my Google account with the same
username and password.
To my surprise, I was not presented with any questions to confirm my
identity."

I didn't verified, but from the report it seems that those additional steps
of verification can be bypassed, if you first log in with the
credentials via IMAP.

I would guess that the successfull login on IMAP adds that new IP address
to the trusted IP list, hence the web login will skip the additional
verification.

On Tue, May 15, 2012 at 7:57 PM, Thor (Hammer of God)
<thor () hammerofgod com>wrote:


I'm not sure I understand the issue here - the requirement for someone
"happening to come across your username and password" is a pretext.

Logging on to the web interface where you can change password and other
personal information as well as verify existing site cookies affords the
service the ability to check these sorts of things.  But you logged on via
IMAP, which is its own service just like POP3 or SMTP.   These services
can't check where you are or for the existence of a cookie, so I'm not
really sure what your expectation is, or why this is being presented as an
issue.   Am I missing something?

Timothy "Thor"  Mullen
www.hammerofgod.com
Thor's Microsoft Security Bible



-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:
full-disclosure-bounces () lists grok org uk] On Behalf Of Jason Hellenthal
Sent: Saturday, May 12, 2012 9:32 AM
To: Michael J. Gray
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability


LMFAO!

On Sat, May 12, 2012 at 04:22:30AM -0700, Michael J. Gray wrote:

Effective since May 1, 2012.

Products Affected: All Google account based services



Upon attempting to log-in to my Google account while away from home, I
was presented with a message that required me to confirm various
details about my account in order to ensure I was a legitimate user
and not just someone who came across my username and password. Unable
to remember what my phone number from 2004 was, I looked for a way

around it.


The questions presented to me were:

    Complete the email address: a******g () gmail com

    Complete the phone number: (425) 4**-***7



Since this was presented to me, I was certain I had my username and
password correct.


From there, I simply went to check my email via IMAP at the new

location.


I was immediately granted access to my email inboxes with no trouble.




From there, I attempted to log-in to my Google account with the same

username and password.

To my surprise, I was not presented with any questions to confirm my
identity.

This completes the steps required to bypass this account hijacking
counter-measure.



This just goes to show that even the largest corporations that employ
teams of security experts, can also overlook very simple issues.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--

 - (2^(N-1))

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: