lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH-PCH6B+CCUW4d5xQC2trYMY=8kf5tOcyymYgMpbfgTZPTaBg@mail.gmail.com>
Date: Tue, 15 May 2012 20:37:28 +0200
From: Ferenc Kovacs <tyra3l@...il.com>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"Michael J. Gray" <mgray@...tcode.com>
Subject: Re: Google Accounts Security Vulnerability

"From there, I attempted to log-in to my Google account with the same
username and password.
To my surprise, I was not presented with any questions to confirm my
identity."

I didn't verified, but from the report it seems that those additional steps
of verification can be bypassed, if you first log in with the
credentials via IMAP.

I would guess that the successfull login on IMAP adds that new IP address
to the trusted IP list, hence the web login will skip the additional
verification.

On Tue, May 15, 2012 at 7:57 PM, Thor (Hammer of God)
<thor@...merofgod.com>wrote:

> I'm not sure I understand the issue here - the requirement for someone
> "happening to come across your username and password" is a pretext.
>
> Logging on to the web interface where you can change password and other
> personal information as well as verify existing site cookies affords the
> service the ability to check these sorts of things.  But you logged on via
> IMAP, which is its own service just like POP3 or SMTP.   These services
> can't check where you are or for the existence of a cookie, so I'm not
> really sure what your expectation is, or why this is being presented as an
> issue.   Am I missing something?
>
> Timothy "Thor"  Mullen
> www.hammerofgod.com
> Thor's Microsoft Security Bible
>
>
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Jason Hellenthal
> Sent: Saturday, May 12, 2012 9:32 AM
> To: Michael J. Gray
> Cc: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability
>
>
> LMFAO!
>
> On Sat, May 12, 2012 at 04:22:30AM -0700, Michael J. Gray wrote:
> > Effective since May 1, 2012.
> >
> > Products Affected: All Google account based services
> >
> >
> >
> > Upon attempting to log-in to my Google account while away from home, I
> > was presented with a message that required me to confirm various
> > details about my account in order to ensure I was a legitimate user
> > and not just someone who came across my username and password. Unable
> > to remember what my phone number from 2004 was, I looked for a way
> around it.
> >
> > The questions presented to me were:
> >
> >     Complete the email address: a******g@...il.com
> >
> >     Complete the phone number: (425) 4**-***7
> >
> >
> >
> > Since this was presented to me, I was certain I had my username and
> > password correct.
> >
> > >From there, I simply went to check my email via IMAP at the new
> location.
> >
> > I was immediately granted access to my email inboxes with no trouble.
> >
> >
> >
> > >From there, I attempted to log-in to my Google account with the same
> > username and password.
> >
> > To my surprise, I was not presented with any questions to confirm my
> > identity.
> >
> > This completes the steps required to bypass this account hijacking
> > counter-measure.
> >
> >
> >
> > This just goes to show that even the largest corporations that employ
> > teams of security experts, can also overlook very simple issues.
> >
>
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
>
>  - (2^(N-1))
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ