lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 16 May 2012 01:28:12 +0530
From: Shreyas Zare <shreyas@...fence.com>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Google Accounts Security Vulnerability

On Wed, May 16, 2012 at 1:02 AM, Thor (Hammer of God)
<thor@...merofgod.com>wrote:

>  Regardless, if you already know the username and password for the email,
> it doesn’t matter anyway no does it?  You could always get the mail via
> IMAP or POP or whatever options were configured in gmail.  There wouldn’t
> be any need to go to the web interface in the first place.
>
>
Hi,

The verification process bypassed which the OP is talking about is
basically put in place to protect victims of phishing attacks. The phishing
attacker generally may not be in the same location as that of the victim.
Gmail web interface asks questions (mentioned my OP) so that the attacker
wont just get into the account with stolen credentials. Also note that IMAP
and POP3 can be disabled (dont remember if both are disabled by default).
So this bypass presents an interesting approach to attacker in case of IMAP
being enabled.

Regards,

(If debugging is the process of removing bugs, then programming must be the
process of putting them in --Edsger Dijkstra)

Shreyas Zare
Sr. Information Security Researcher
Secfence Technologies
http://www.secfence.com

Follow me on twitter @shreyasonline <https://twitter.com/#%21/shreyasonline>

Check out Secfence | Blog [http://blog.secfence.com]

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ