lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 May 2012 12:27:25 -0400
From: Alex Buie <abuie@...services.com>
To: "Michael J. Gray" <mgray@...tcode.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google Accounts Security Vulnerability

This reminds me of my bank, where the password can only be 12 characters
long and only alphanumeric, but they compensate with "security questions",
"Web pin" and SMS auth, where I would be perfectly content (and save time)
sec-wise if they would just let me use my normal >24 character password
scheme, and maybe the pin on unfamiliar computers.

Oh, and their mobile app? Only requires my 4 number debit pin and no
username. I'd be much more worried about losing my phone that's preauthed
than someone scanning my brain and discovering the password.
On May 12, 2012 7:59 AM, "Michael J. Gray" <mgray@...tcode.com> wrote:

> Effective since May 1, 2012.****
>
> Products Affected: All Google account based services****
>
> ** **
>
> Upon attempting to log-in to my Google account while away from home, I was
> presented with a message that required me to confirm various details about
> my account in order to ensure I was a legitimate user and not just someone
> who came across my username and password. Unable to remember what my phone
> number from 2004 was, I looked for a way around it.****
>
> The questions presented to me were:****
>
>     Complete the email address: a******g@...il.com****
>
>     Complete the phone number: (425) 4**-***7****
>
> ** **
>
> Since this was presented to me, I was certain I had my username and
> password correct.****
>
> From there, I simply went to check my email via IMAP at the new location.*
> ***
>
> I was immediately granted access to my email inboxes with no trouble.****
>
> ** **
>
> From there, I attempted to log-in to my Google account with the same
> username and password.****
>
> To my surprise, I was not presented with any questions to confirm my
> identity.****
>
> This completes the steps required to bypass this account hijacking
> counter-measure.****
>
> ** **
>
> This just goes to show that even the largest corporations that employ
> teams of security experts, can also overlook very simple issues.****
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists