lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 5 Aug 2010 02:23:33 +0530
From: Atul Agarwal <atul@...fence.com>
To: Harry Strongburg <harry.fd@...ry.lu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: GMail complete anonymity possible via IPv6

Interesting find.

Not directly related but, GMail also shows no activity logs whatsoever (does
not matter its IPv4/IPv6) if one tries to import contacts from a GMail
account.

Could be intentional by Google, as lots of websites import contacts
(Facebook, Linkedin etc.)  But anyone with evil intentions could have the
complete contact list using any of the freely available contact importer
script (http://svetlozar.net/page/Import-Gmail-Addresses.html should work
fine), and the victim wont have a clue.


Thanks,
Atul Agarwal
Secfence Technologies
www.secfence.com



On Wed, Aug 4, 2010 at 3:39 AM, Harry Strongburg <harry.fd@...ry.lu> wrote:

> If a user connects to an account using gmail.com in IPv6, the "last
> account activity" feature will say "Unknown" as the IP address.
>
> Screenshot example:
> imgur: http://i.imgur.com/l4lFp.png
> Local mirror: http://harry.lu/files/secret/gmailipv6.png
> All "Unknown" entries in the screenshot are IPv6 connections, using a gmail
> username no one else knows of (just a garbage account I made to test this
> out), with a secure password (hence I am positive that there were no
> connections made other than mine). Erased entries in the screenshot are IPv4
> addresses that I manually censored.
>
> 2001:4860:b009::53 is the current IPv6 address for gmail.com. It's an AAAA
> record on the domain, but I am posting it here if Google goes the easy route
> and just deletes the DNS entry.
>
> This should be a major security concern for Google and all Google/GMail
> users. With this bug, any user can connect to GMail using IPv6, access your
> account, and you will not be sure if it was an accidental IPv6 connection
> you did, or if someone had access to your account. If you casually use IPv6,
> you will be unable to tell if one of the "Unknown" connections were from
> your IPv6 range, or a remote intruder's.
>
> Stay classy, Google.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ