lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 May 2012 12:32:13 -0400 From: Jason Hellenthal <jhellenthal@...aix.net> To: "Michael J. Gray" <mgray@...tcode.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Google Accounts Security Vulnerability LMFAO! On Sat, May 12, 2012 at 04:22:30AM -0700, Michael J. Gray wrote: > Effective since May 1, 2012. > > Products Affected: All Google account based services > > > > Upon attempting to log-in to my Google account while away from home, I was > presented with a message that required me to confirm various details about > my account in order to ensure I was a legitimate user and not just someone > who came across my username and password. Unable to remember what my phone > number from 2004 was, I looked for a way around it. > > The questions presented to me were: > > Complete the email address: a******g@...il.com > > Complete the phone number: (425) 4**-***7 > > > > Since this was presented to me, I was certain I had my username and password > correct. > > >From there, I simply went to check my email via IMAP at the new location. > > I was immediately granted access to my email inboxes with no trouble. > > > > >From there, I attempted to log-in to my Google account with the same > username and password. > > To my surprise, I was not presented with any questions to confirm my > identity. > > This completes the steps required to bypass this account hijacking > counter-measure. > > > > This just goes to show that even the largest corporations that employ teams > of security experts, can also overlook very simple issues. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- - (2^(N-1)) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists