Hmm that's an idea...
On Wed, Aug 4, 2010 at 10:53 PM, Atul Agarwal <[email protected]> wrote: > Interesting find. > > Not directly related but, GMail also shows no activity logs whatsoever > (does not matter its IPv4/IPv6) if one tries to import contacts from a GMail > account. > > Could be intentional by Google, as lots of websites import contacts > (Facebook, Linkedin etc.) But anyone with evil intentions could have the > complete contact list using any of the freely available contact importer > script (http://svetlozar.net/page/Import-Gmail-Addresses.html should work > fine), and the victim wont have a clue. > > > Thanks, > Atul Agarwal > Secfence Technologies > www.secfence.com > > > > > On Wed, Aug 4, 2010 at 3:39 AM, Harry Strongburg <[email protected]>wrote: > >> If a user connects to an account using gmail.com in IPv6, the "last >> account activity" feature will say "Unknown" as the IP address. >> >> Screenshot example: >> imgur: http://i.imgur.com/l4lFp.png >> Local mirror: http://harry.lu/files/secret/gmailipv6.png >> All "Unknown" entries in the screenshot are IPv6 connections, using a >> gmail username no one else knows of (just a garbage account I made to test >> this out), with a secure password (hence I am positive that there were no >> connections made other than mine). Erased entries in the screenshot are IPv4 >> addresses that I manually censored. >> >> 2001:4860:b009::53 is the current IPv6 address for gmail.com. It's an >> AAAA record on the domain, but I am posting it here if Google goes the easy >> route and just deletes the DNS entry. >> >> This should be a major security concern for Google and all Google/GMail >> users. With this bug, any user can connect to GMail using IPv6, access your >> account, and you will not be sure if it was an accidental IPv6 connection >> you did, or if someone had access to your account. If you casually use IPv6, >> you will be unable to tell if one of the "Unknown" connections were from >> your IPv6 range, or a remote intruder's. >> >> Stay classy, Google. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
