lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1088968244.40e8563427778@www.mailsurf.com>
From: amforward at mailsurf.com (amforward@...lsurf.com)
Subject: Gmail Information Disclosure Vulnerability

Brief
--------------
While I was playing with Gmail, I found a bug that may disclose
information about the users currently attempting to register a new
Gmail account. This seems to be a vulnerability with low severity (at
least until now).

CheckAvailability Script
--------------
In the registration page, the "Check Availability" button queries a
certain script, namely /accounts/CheckAvailability. The script takes
the desired username, and checks if it is available. If it is not
available, it suggests other usernames by contactenating, for example,
your last name to it.

The Problem
--------------
There seems to be a thread-safety problem with CheckAvailability
script. When the script is under heavy stress, it may return answers
to queries that are not yours, revealing others' desired usernames,
and first and last names.(see attached screen shot)


Reproduction
--------------
To reproduce it, you should:

AND
a. Have a valid Gmail invitation
b. Frequently Invoke CheckAvailability by
~  OR
~  1. Creating a tool that automates the script invocation.
~  2. Having the patience and keep clicking the button frequently (this
works too!).


I have not yet carefully studied the script, but I think it might not
be a problem with this script only, but others as well. Your thoughts
are appreciated.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gmail-screenshot.gif
Type: image/gif
Size: 11389 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040704/c4224592/gmail-screenshot.gif

Powered by blists - more mailing lists