lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 20 Sep 2008 13:36:16 -0400
From: redb0ne@...h.com
To: full-disclosure@...ts.grok.org.uk, xploitable@...il.com
Subject: Re: 
	Social flaws / vulnerabilities in 'Last account	activity' on Gmail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Sat, 20 Sep 2008 09:38:20 -0400 n3td3v <xploitable@...il.com>
wrote:
>This service allows a legitimate user to observe the last 5
>sessions
>of which users logged in to the account, this is known as the
>'Last
>account activity' feature.

Uh, so what?

Most remote-login systems allow you to do that.

>
>While this service is helpful to know if your account has been
>accessed by intruders, it also allows the intruder to get the IP
>addresses of legitimate users of the account.
>
>With this IP address they can get clues about the authorised
>account holder.

If someone gets access to my email, the last thing I am worried
about them getting is my IP address. My email account has much more
sensitive and revealing information that would be useful to an
attacker.

>
>If I work in a sensitive government job, the intruder can know
>this
>using this feature.

If you work in a sensitive environment and are connecting to a
webmail provider then that alone is a problem.

>
>If I have been in an area, place in the world which may
>incriminate,
>or tip a spouse off about a relationship cheat, this will show up
>the
>locations of which the authoritised users have been.

It'll give you the country, possibly the state, that is about it.
You'd need a court order to get any more information and good luck
with that.

<more boring, baseless claims>

>
>In short, this feature is useless, and there is no work around for
>legitmate account holders to withhold their IP address from the
>'Last
>account activity' feature.

Useless? I value knowing if someone else is accessing my email
account via that feature, much more than I worry about someone
finding my IP address.

>
>Time to scrap this feature, its full of social flaws, which is
>only
>empowering bad guys.

No, not time to "scrap this feature".

This is another sad attempt at attention whoring, but you'll find
that more people care about the risks of NOT having this feature
than they care about the fact someone could find the IP address you
connected to, which in this day and age is trivially available
information.

Please, leave the real research to the experts and stop trying to
whore attention.
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkjVNJIACgkQGwcl4JwqQeBlgwP+KaNbh8Su5fsYzqD8LNfqemQZGlIT
N/vQLgXfWeGia7HqLVpWYzSG4ZYdU5+rRq6oBtnBlnriNjUFXNOda4nNXXJiGKpVCZj+
QLXti/uDN8GuDQvKxucjrwdaQrmkdpzBWnhBcfqRq6LMkMu+ZYEwsWLI+BMbwXAIcF1s
fsMKh4Y=
=AEbA
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists