On Tue, May 15, 2012 at 06:29:03PM -0700, Michael J. Gray wrote: > Ill clarify a bit. > > > > If you log on to your Google account from the website and it prompts you for > additional security questions, you can circumvent this by simply checking > mail via POP or what have you and then it adds your IP address to the list > of recognized addresses. >
I don't know about anyone else, but I use two step verification with specific application pass phrases that Google so graciously allows you to do. With that said... It is the two phase authentication I chose to turn on due to the fact I have to access my mail through IMAPS. One thing I think you may be entirely confused with is the "Allow multiple logins" feature that you can turn off and achieve exactly what you would expect to happen. ????????????????????????????????????????????????????????????????????? What I don't understand is... You go to your web portal to reset your password... "you do not know what your password is...!" how on earth would you login to IMAP, POP whatever...! ? ????????????????????????????????????????????????????????????????????? PS: Besides if someone was able to login to your IMAP I sincerely doubt accessing your mail by the web will be on any one of the objective lists. They already have your =INBOX... Do use two phase authentication and do use application specific passwords for accessing your account. > > > From: Thor (Hammer of God) [mailto:[email protected]] > Sent: Tuesday, May 15, 2012 12:33 PM > To: Mateus Felipe Tymburibá Ferreira > Cc: Jason Hellenthal; Michael J. Gray; [email protected] > Subject: RE: [Full-disclosure] Google Accounts Security Vulnerability > > > > Logging on to IMAP mail as one would be doing hundreds of times per day is > not going to reset the web cookie. If that is what the OP is reporting, I > would have to question if his recollection is correct since, by that logic, > the password reset feature would never be activated since any other IMAP > logon would clear it. > > > > If the user logged in, and was presented with the questions as stated, then > it probably cleared any requirement since he would have to accept that. > Unless he is saying that when presented with the questions he purposefully > did not put them in and tried to logon to IMAP which I find odd. > > > > Regardless, if you already know the username and password for the email, it > doesnt matter anyway no does it? You could always get the mail via IMAP or > POP or whatever options were configured in gmail. There wouldnt be any > need to go to the web interface in the first place. > > > > Now that I know Im not missing anything, Ill just let this one die on the > vine. > > > > > > Description: Description: Description: Description: Description: > Description: Description: Description: Description: TimSig > > > > Timothy Thor Mullen > > www.hammerofgod.com > > Thor > <http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/15974957 > 27> s Microsoft Security Bible > > > > > > From: Mateus Felipe Tymburibá Ferreira [mailto:[email protected]] > Sent: Tuesday, May 15, 2012 12:21 PM > To: Thor (Hammer of God) > Cc: Jason Hellenthal; Michael J. Gray; [email protected] > Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability > > > > I'm just copying the original message's part that probably answer your > question (I did not test it...): > > ">From there, I attempted to log-in to my Google account with the same > > username and password. > > > > To my surprise, I was not presented with any questions to confirm my > > identity. > > > > This completes the steps required to bypass this account hijacking > > counter-measure." > > > Mateus Felipe Tymburibá Ferreira, M. Sc. student at UFAM > <http://portal.ufam.edu.br> > CISSP <https://www.isc2.org/cissp/default.aspx> , OSCP > <http://www.offensive-security.com/information-security-certifications/oscp- > offensive-security-certified-professional/> , OSCE > <http://www.offensive-security.com/information-security-certifications/osce- > offensive-security-certified-expert/> , OSWP > <http://www.offensive-security.com/information-security-certifications/oswp- > offensive-security-wireless-professional/> > > <https://www.isc2.org/cissp/default.aspx> > <http://www.offensive-security.com/information-security-certifications/oscp- > offensive-security-certified-professional/> > <http://www.offensive-security.com/information-security-certifications/osce- > offensive-security-certified-expert/> > <http://www.offensive-security.com/information-security-certifications/oswp- > offensive-security-wireless-professional/> > > > > > 2012/5/15 Thor (Hammer of God) <[email protected]> > > I'm not sure I understand the issue here - the requirement for someone > "happening to come across your username and password" is a pretext. > > Logging on to the web interface where you can change password and other > personal information as well as verify existing site cookies affords the > service the ability to check these sorts of things. But you logged on via > IMAP, which is its own service just like POP3 or SMTP. These services > can't check where you are or for the existence of a cookie, so I'm not > really sure what your expectation is, or why this is being presented as an > issue. Am I missing something? > > Timothy "Thor" Mullen > www.hammerofgod.com > Thor's Microsoft Security Bible > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Jason > Hellenthal > Sent: Saturday, May 12, 2012 9:32 AM > To: Michael J. Gray > Cc: [email protected] > Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability > > > LMFAO! > > On Sat, May 12, 2012 at 04:22:30AM -0700, Michael J. Gray wrote: > > Effective since May 1, 2012. > > > > Products Affected: All Google account based services > > > > > > > > Upon attempting to log-in to my Google account while away from home, I > > was presented with a message that required me to confirm various > > details about my account in order to ensure I was a legitimate user > > and not just someone who came across my username and password. Unable > > to remember what my phone number from 2004 was, I looked for a way around > it. > > > > The questions presented to me were: > > > > Complete the email address: a******[email protected] > > > > Complete the phone number: (425) 4**-***7 > > > > > > > > Since this was presented to me, I was certain I had my username and > > password correct. > > > > >From there, I simply went to check my email via IMAP at the new location. > > > > I was immediately granted access to my email inboxes with no trouble. > > > > > > > > >From there, I attempted to log-in to my Google account with the same > > username and password. > > > > To my surprise, I was not presented with any questions to confirm my > > identity. > > > > This completes the steps required to bypass this account hijacking > > counter-measure. > > > > > > > > This just goes to show that even the largest corporations that employ > > teams of security experts, can also overlook very simple issues. > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > -- > > - (2^(N-1)) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > -- - (2^(N-1))
pgpmGVNwecIUq.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
