Re: Google Accounts Security Vulnerability

[Gage Bystrom <themadichib0d () gmail com>]

I think what he was trying to say, and I'm not sure since I havnt tested
it, is that you can bypass the 2nd layer of authentication by logging into
IMAP. Cause normally if you try to login from a strange device Google
becomes highly suspicious and starts asking you questions(the 2nd layer)
and he's saying that if you have the first layer covered, you can use IMAP
to avoid the second.

I don't know for sure, I just think that's what he is trying to say
On May 16, 2012 1:51 AM, "Jason Hellenthal" <jhellenthal () dataix net> wrote:

> On Tue, May 15, 2012 at 06:29:03PM -0700, Michael J. Gray wrote:
> > I’ll clarify a bit.
> >
> >
> >
> > If you log on to your Google account from the website and it prompts you
> for
> > additional security questions, you can circumvent this by simply checking
> > mail via POP or what have you and then it adds your IP address to the
> list
> > of recognized addresses.
>
> I don't know about anyone else, but I use two step verification with
> specific application pass phrases that Google so graciously allows you
> to do.
>
> With that said... It is the two phase authentication I chose to turn on
> due to the fact I have to access my mail through IMAPS.
>
> One thing I think you may be entirely confused with is the "Allow
> multiple logins" feature that you can turn off and achieve exactly what
> you would expect to happen.
>
>
> ?????????????????????????????????????????????????????????????????????
> What I don't understand is... You go to your web portal to reset your
> password... "you do not know what your password is...!" how on earth
> would you login to IMAP, POP whatever...! ?
> ?????????????????????????????????????????????????????????????????????
>
> PS: Besides if someone was able to login to your IMAP I sincerely doubt
> accessing your mail by the web will be on any one of the objective
> lists. They already have your =INBOX... Do use two phase authentication
> and do use application specific passwords for accessing your account.
>
> > From: Thor (Hammer of God) [mailto:thor () hammerofgod com]
> > Sent: Tuesday, May 15, 2012 12:33 PM
> > To: Mateus Felipe Tymburibá Ferreira
> > Cc: Jason Hellenthal; Michael J. Gray; full-disclosure () lists grok org uk
> > Subject: RE: [Full-disclosure] Google Accounts Security Vulnerability
> >
> >
> >
> > Logging on to IMAP mail as one would be doing hundreds of times per day
> is
> > not going to reset the web cookie.  If that is what the OP is reporting,
> I
> > would have to question if his recollection is correct since, by that
> logic,
> > the password reset feature would never be activated since any other IMAP
> > logon would clear it.
> >
> >
> >
> > If the user logged in, and was presented with the questions as stated,
> then
> > it probably cleared any requirement since he would have to accept that.
> > Unless he is saying that when presented with the questions he
> purposefully
> > did not put them in and tried to logon to IMAP which I find odd.
> >
> >
> >
> > Regardless, if you already know the username and password for the email,
> it
> > doesn’t matter anyway no does it?  You could always get the mail via
> IMAP or
> > POP or whatever options were configured in gmail.  There wouldn’t be any
> > need to go to the web interface in the first place.
> >
> >
> >
> > Now that I know I’m not missing anything, I’ll just let this one die on
> the
> > vine.
> >
> >
> >
> >
> >
> > Description: Description: Description: Description: Description:
> > Description: Description: Description: Description: TimSig
> >
> >
> >
> > Timothy “Thor”  Mullen
> >
> > www.hammerofgod.com
> >
> > Thor
> > <
> http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/15974957
> > 27> ’s Microsoft Security Bible
> >
> >
> >
> >
> >
> > From: Mateus Felipe Tymburibá Ferreira [mailto:mateustymbu () gmail com]
> > Sent: Tuesday, May 15, 2012 12:21 PM
> > To: Thor (Hammer of God)
> > Cc: Jason Hellenthal; Michael J. Gray; full-disclosure () lists grok org uk
> > Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability
> >
> >
> >
> > I'm just copying the original message's part that probably answer your
> > question (I did not test it...):
> >
> > ">From there, I attempted to log-in to my Google account with the same
> > > username and password.
> > >
> > > To my surprise, I was not presented with any questions to confirm my
> > > identity.
> > >
> > > This completes the steps required to bypass this account hijacking
> > > counter-measure."
> >
> >
> > Mateus Felipe Tymburibá Ferreira, M. Sc. student at UFAM
> > <http://portal.ufam.edu.br>
> >   CISSP <https://www.isc2.org/cissp/default.aspx> , OSCP
> > <
> http://www.offensive-security.com/information-security-certifications/oscp-
> > offensive-security-certified-professional/> , OSCE
> > <
> http://www.offensive-security.com/information-security-certifications/osce-
> > offensive-security-certified-expert/> , OSWP
> > <
> http://www.offensive-security.com/information-security-certifications/oswp-
> > offensive-security-wireless-professional/>
> >
> >  <https://www.isc2.org/cissp/default.aspx>
> > <
> http://www.offensive-security.com/information-security-certifications/oscp-
> > offensive-security-certified-professional/>
> > <
> http://www.offensive-security.com/information-security-certifications/osce-
> > offensive-security-certified-expert/>
> > <
> http://www.offensive-security.com/information-security-certifications/oswp-
> > offensive-security-wireless-professional/>
> >
> >
> >
> >
> > 2012/5/15 Thor (Hammer of God) <thor () hammerofgod com>
> >
> > I'm not sure I understand the issue here - the requirement for someone
> > "happening to come across your username and password" is a pretext.
> >
> > Logging on to the web interface where you can change password and other
> > personal information as well as verify existing site cookies affords the
> > service the ability to check these sorts of things.  But you logged on
> via
> > IMAP, which is its own service just like POP3 or SMTP.   These services
> > can't check where you are or for the existence of a cookie, so I'm not
> > really sure what your expectation is, or why this is being presented as
> an
> > issue.   Am I missing something?
> >
> > Timothy "Thor"  Mullen
> > www.hammerofgod.com
> > Thor's Microsoft Security Bible
> >
> >
> >
> > -----Original Message-----
> > From: full-disclosure-bounces () lists grok org uk
> > [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Jason
> > Hellenthal
> > Sent: Saturday, May 12, 2012 9:32 AM
> > To: Michael J. Gray
> > Cc: full-disclosure () lists grok org uk
> > Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability
> >
> >
> > LMFAO!
> >
> > On Sat, May 12, 2012 at 04:22:30AM -0700, Michael J. Gray wrote:
> > > Effective since May 1, 2012.
> > >
> > > Products Affected: All Google account based services
> > >
> > >
> > >
> > > Upon attempting to log-in to my Google account while away from home, I
> > > was presented with a message that required me to confirm various
> > > details about my account in order to ensure I was a legitimate user
> > > and not just someone who came across my username and password. Unable
> > > to remember what my phone number from 2004 was, I looked for a way
> around
> > it.
> > > The questions presented to me were:
> > >
> > >     Complete the email address: a******g () gmail com
> > >
> > >     Complete the phone number: (425) 4**-***7
> > >
> > >
> > >
> > > Since this was presented to me, I was certain I had my username and
> > > password correct.
> > >
> > > > From there, I simply went to check my email via IMAP at the new
> location.
> > > I was immediately granted access to my email inboxes with no trouble.
> > >
> > >
> > >
> > > > From there, I attempted to log-in to my Google account with the same
> > > username and password.
> > >
> > > To my surprise, I was not presented with any questions to confirm my
> > > identity.
> > >
> > > This completes the steps required to bypass this account hijacking
> > > counter-measure.
> > >
> > >
> > >
> > > This just goes to show that even the largest corporations that employ
> > > teams of security experts, can also overlook very simple issues.
> >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > --
> >
> >  - (2^(N-1))
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> --
>
>  - (2^(N-1))
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/