I'm just copying the original message's part that probably answer your question (I did not test it...):
">From there, I attempted to log-in to my Google account with the same > username and password. > > To my surprise, I was not presented with any questions to confirm my > identity. > > This completes the steps required to bypass this account hijacking > counter-measure." Mateus Felipe Tymburibá Ferreira, M. Sc. student at UFAM<http://portal.ufam.edu.br> CISSP <https://www.isc2.org/cissp/default.aspx>, OSCP<http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/>, OSCE<http://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/>, OSWP<http://www.offensive-security.com/information-security-certifications/oswp-offensive-security-wireless-professional/> <https://www.isc2.org/cissp/default.aspx> <http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/><http://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/><http://www.offensive-security.com/information-security-certifications/oswp-offensive-security-wireless-professional/> 2012/5/15 Thor (Hammer of God) <[email protected]> > I'm not sure I understand the issue here - the requirement for someone > "happening to come across your username and password" is a pretext. > > Logging on to the web interface where you can change password and other > personal information as well as verify existing site cookies affords the > service the ability to check these sorts of things. But you logged on via > IMAP, which is its own service just like POP3 or SMTP. These services > can't check where you are or for the existence of a cookie, so I'm not > really sure what your expectation is, or why this is being presented as an > issue. Am I missing something? > > Timothy "Thor" Mullen > www.hammerofgod.com > Thor's Microsoft Security Bible > > > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Jason Hellenthal > Sent: Saturday, May 12, 2012 9:32 AM > To: Michael J. Gray > Cc: [email protected] > Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability > > > LMFAO! > > On Sat, May 12, 2012 at 04:22:30AM -0700, Michael J. Gray wrote: > > Effective since May 1, 2012. > > > > Products Affected: All Google account based services > > > > > > > > Upon attempting to log-in to my Google account while away from home, I > > was presented with a message that required me to confirm various > > details about my account in order to ensure I was a legitimate user > > and not just someone who came across my username and password. Unable > > to remember what my phone number from 2004 was, I looked for a way > around it. > > > > The questions presented to me were: > > > > Complete the email address: a******[email protected] > > > > Complete the phone number: (425) 4**-***7 > > > > > > > > Since this was presented to me, I was certain I had my username and > > password correct. > > > > >From there, I simply went to check my email via IMAP at the new > location. > > > > I was immediately granted access to my email inboxes with no trouble. > > > > > > > > >From there, I attempted to log-in to my Google account with the same > > username and password. > > > > To my surprise, I was not presented with any questions to confirm my > > identity. > > > > This completes the steps required to bypass this account hijacking > > counter-measure. > > > > > > > > This just goes to show that even the largest corporations that employ > > teams of security experts, can also overlook very simple issues. > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > -- > > - (2^(N-1)) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
