lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <024f01cd3303$486c2da0$d94488e0$@emitcode.com>
Date: Tue, 15 May 2012 18:29:03 -0700
From: "Michael J. Gray" <mgray@...tcode.com>
To: "'Thor \(Hammer of God\)'" <thor@...merofgod.com>,
	'Mateus Felipe Tymburibá Ferreira'
	<mateustymbu@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google Accounts Security Vulnerability

I’ll clarify a bit.

 

If you log on to your Google account from the website and it prompts you for
additional security questions, you can circumvent this by simply checking
mail via POP or what have you and then it adds your IP address to the list
of recognized addresses. 

 

From: Thor (Hammer of God) [mailto:thor@...merofgod.com] 
Sent: Tuesday, May 15, 2012 12:33 PM
To: Mateus Felipe Tymburibá Ferreira
Cc: Jason Hellenthal; Michael J. Gray; full-disclosure@...ts.grok.org.uk
Subject: RE: [Full-disclosure] Google Accounts Security Vulnerability

 

Logging on to IMAP mail as one would be doing hundreds of times per day is
not going to reset the web cookie.  If that is what the OP is reporting, I
would have to question if his recollection is correct since, by that logic,
the password reset feature would never be activated since any other IMAP
logon would clear it.  

 

If the user logged in, and was presented with the questions as stated, then
it probably cleared any requirement since he would have to accept that.
Unless he is saying that when presented with the questions he purposefully
did not put them in and tried to logon to IMAP which I find odd.

 

Regardless, if you already know the username and password for the email, it
doesn’t matter anyway no does it?  You could always get the mail via IMAP or
POP or whatever options were configured in gmail.  There wouldn’t be any
need to go to the web interface in the first place.   

 

Now that I know I’m not missing anything, I’ll just let this one die on the
vine. 

 

 

Description: Description: Description: Description: Description:
Description: Description: Description: Description: TimSig

 

Timothy “Thor”  Mullen

www.hammerofgod.com

Thor
<http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/15974957
27> ’s Microsoft Security Bible

 

 

From: Mateus Felipe Tymburibá Ferreira [mailto:mateustymbu@...il.com] 
Sent: Tuesday, May 15, 2012 12:21 PM
To: Thor (Hammer of God)
Cc: Jason Hellenthal; Michael J. Gray; full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability

 

I'm just copying the original message's part that probably answer your
question (I did not test it...):

">From there, I attempted to log-in to my Google account with the same
> username and password.
>
> To my surprise, I was not presented with any questions to confirm my
> identity.
>
> This completes the steps required to bypass this account hijacking
> counter-measure."


Mateus Felipe Tymburibá Ferreira, M. Sc. student at UFAM
<http://portal.ufam.edu.br> 
  CISSP <https://www.isc2.org/cissp/default.aspx> , OSCP
<http://www.offensive-security.com/information-security-certifications/oscp-
offensive-security-certified-professional/> , OSCE
<http://www.offensive-security.com/information-security-certifications/osce-
offensive-security-certified-expert/> , OSWP
<http://www.offensive-security.com/information-security-certifications/oswp-
offensive-security-wireless-professional/> 

 <https://www.isc2.org/cissp/default.aspx>
<http://www.offensive-security.com/information-security-certifications/oscp-
offensive-security-certified-professional/>
<http://www.offensive-security.com/information-security-certifications/osce-
offensive-security-certified-expert/>
<http://www.offensive-security.com/information-security-certifications/oswp-
offensive-security-wireless-professional/> 




2012/5/15 Thor (Hammer of God) <thor@...merofgod.com>

I'm not sure I understand the issue here - the requirement for someone
"happening to come across your username and password" is a pretext.

Logging on to the web interface where you can change password and other
personal information as well as verify existing site cookies affords the
service the ability to check these sorts of things.  But you logged on via
IMAP, which is its own service just like POP3 or SMTP.   These services
can't check where you are or for the existence of a cookie, so I'm not
really sure what your expectation is, or why this is being presented as an
issue.   Am I missing something?

Timothy "Thor"  Mullen
www.hammerofgod.com
Thor's Microsoft Security Bible



-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Jason
Hellenthal
Sent: Saturday, May 12, 2012 9:32 AM
To: Michael J. Gray
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability


LMFAO!

On Sat, May 12, 2012 at 04:22:30AM -0700, Michael J. Gray wrote:
> Effective since May 1, 2012.
>
> Products Affected: All Google account based services
>
>
>
> Upon attempting to log-in to my Google account while away from home, I
> was presented with a message that required me to confirm various
> details about my account in order to ensure I was a legitimate user
> and not just someone who came across my username and password. Unable
> to remember what my phone number from 2004 was, I looked for a way around
it.
>
> The questions presented to me were:
>
>     Complete the email address: a******g@...il.com
>
>     Complete the phone number: (425) 4**-***7
>
>
>
> Since this was presented to me, I was certain I had my username and
> password correct.
>
> >From there, I simply went to check my email via IMAP at the new location.
>
> I was immediately granted access to my email inboxes with no trouble.
>
>
>
> >From there, I attempted to log-in to my Google account with the same
> username and password.
>
> To my surprise, I was not presented with any questions to confirm my
> identity.
>
> This completes the steps required to bypass this account hijacking
> counter-measure.
>
>
>
> This just goes to show that even the largest corporations that employ
> teams of security experts, can also overlook very simple issues.
>

> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


--

 - (2^(N-1))

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 


Content of type "text/html" skipped

Download attachment "image001.png" of type "image/png" (1049 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ