lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 15 May 2012 18:33:53 -0700
From: "Michael J. Gray" <mgray@...tcode.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: Google Accounts Security Vulnerability

I received this message from a Google employee. I figure since it's a
response to my post, it should go here as well.

It seems that by design there are cases where this exact situation can
happen. But I am very curious as to why they would ever permit this?

 

In the situation I had, it involved an account logged on strictly from one
state in the US to suddenly an IP coming from Israel and I was able to
circumvent the security questions with the method described. 

 

From: Daniel Margolis [mailto:dmargolis@...gle.com] 
Sent: Monday, May 14, 2012 9:53 AM
To: mgray@...tcode.com
Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability

 

Hi, Michael, 

 

I work on this system. There are some cases where this exact thing can
happen by design, but I would love to confirm that that's what happened and
that we don't have some other bug I don't know about. 

 

Would you be willing to give me the account name to allow me to look at our
logs and determine what happened here? 

 

Thanks, and thanks for noticing this and taking the time to report it. 

 

Dan

 

From: Michael J. Gray <mgray@...tcode.com>

Date: Sat, May 12, 2012 at 4:22 AM
Subject: [Full-disclosure] Google Accounts Security Vulnerability
To: full-disclosure@...ts.grok.org.uk



Effective since May 1, 2012.

Products Affected: All Google account based services

 

Upon attempting to log-in to my Google account while away from home, I was
presented with a message that required me to confirm various details about
my account in order to ensure I was a legitimate user and not just someone
who came across my username and password. Unable to remember what my phone
number from 2004 was, I looked for a way around it.

The questions presented to me were:

    Complete the email address: a******g@...il.com

    Complete the phone number: (425) 4**-***7

 

Since this was presented to me, I was certain I had my username and password
correct.

>>From there, I simply went to check my email via IMAP at the new location.

I was immediately granted access to my email inboxes with no trouble.

 

>>From there, I attempted to log-in to my Google account with the same
username and password.

To my surprise, I was not presented with any questions to confirm my
identity.

This completes the steps required to bypass this account hijacking
counter-measure.

 

This just goes to show that even the largest corporations that employ teams
of security experts, can also overlook very simple issues.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 

 


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ