lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTi=N0Ay7rzpH=YmwXGJNKvutvoLshEXxqq7iMM-C@mail.gmail.com>
Date: Thu, 5 Aug 2010 08:26:57 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Atul Agarwal <atul@...fence.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: GMail complete anonymity possible via IPv6

Hmm that's an idea...



On Wed, Aug 4, 2010 at 10:53 PM, Atul Agarwal <atul@...fence.com> wrote:

> Interesting find.
>
> Not directly related but, GMail also shows no activity logs whatsoever
> (does not matter its IPv4/IPv6) if one tries to import contacts from a GMail
> account.
>
> Could be intentional by Google, as lots of websites import contacts
> (Facebook, Linkedin etc.)  But anyone with evil intentions could have the
> complete contact list using any of the freely available contact importer
> script (http://svetlozar.net/page/Import-Gmail-Addresses.html should work
> fine), and the victim wont have a clue.
>
>
> Thanks,
> Atul Agarwal
> Secfence Technologies
> www.secfence.com
>
>
>
>
> On Wed, Aug 4, 2010 at 3:39 AM, Harry Strongburg <harry.fd@...ry.lu>wrote:
>
>> If a user connects to an account using gmail.com in IPv6, the "last
>> account activity" feature will say "Unknown" as the IP address.
>>
>> Screenshot example:
>> imgur: http://i.imgur.com/l4lFp.png
>> Local mirror: http://harry.lu/files/secret/gmailipv6.png
>> All "Unknown" entries in the screenshot are IPv6 connections, using a
>> gmail username no one else knows of (just a garbage account I made to test
>> this out), with a secure password (hence I am positive that there were no
>> connections made other than mine). Erased entries in the screenshot are IPv4
>> addresses that I manually censored.
>>
>> 2001:4860:b009::53 is the current IPv6 address for gmail.com. It's an
>> AAAA record on the domain, but I am posting it here if Google goes the easy
>> route and just deletes the DNS entry.
>>
>> This should be a major security concern for Google and all Google/GMail
>> users. With this bug, any user can connect to GMail using IPv6, access your
>> account, and you will not be sure if it was an accidental IPv6 connection
>> you did, or if someone had access to your account. If you casually use IPv6,
>> you will be unable to tell if one of the "Unknown" connections were from
>> your IPv6 range, or a remote intruder's.
>>
>> Stay classy, Google.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ