Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Social flaws / vulnerabilities in 'Last account activity' on Gmail
From: n3td3v <xploitable () gmail com>
Date: Sat, 20 Sep 2008 14:38:20 +0100

This service allows a legitimate user to observe the last 5 sessions
of which users logged in to the account, this is known as the 'Last
account activity' feature.

While this service is helpful to know if your account has been
accessed by intruders, it also allows the intruder to get the IP
addresses of legitimate users of the account.

With this IP address they can get clues about the authorised account holder.

If I work in a sensitive government job, the intruder can know this
using this feature.

If I have been in an area, place in the world which may incriminate,
or tip a spouse off about a relationship cheat, this will show up the
locations of which the authoritised users have been.

You don't always want your IP address listed on Gmail, espeically when
Gmail is usually obscure about such information.

What I found myself doing the other day was this:

I wanted to log in to check my email on a computer, however I knew
this IP address of the computer would be publically listed for those
who had authorised access to the Gmail account.

What happened was, I wasn't able to check my email using Gmail,
because it would have given away vital information to any intruder.

Gmail 'Last account activity' shows the IP addresses of person or
person(s) logging into an account, however after someone has logged
into your account even if they are allowed to or not have your IP
address and location.

This is bad news for computers which don't have a proxy that obscures
where you are, it can allow an enemy, spouse, and others not only to
know your general whereabouts, but in some cases if using a lan, they
can find out your specific department of which you work. And in many
cases, the persons can locate the computer you used on the lan, this
is very damaging information for people working in sensitive security
jobs, i'm very unhappy now about this 'Last account activity' feature,
it has caught me short and prevented me from using my email account
over the last day or so, until I could get back to a safe computer.
This is unacceptable of Gmail to have a list of IP addresses viewable
by all, including the bad guys who may get access to the account
through malicious means.

It is not always easy to use an 'on the spot' proxy if you are in a
location you don't want to come up on the 'Last account activity'

These are my concerns, do what you want with them, I for one not happy
about being restricted in such a way about what computers I can use
and where.

The cons of knowing which IP addresses log into your account outweigh the pros.

Sure, you know someone has accessed your account, by then its too late
anyway, and they now know where you are, your IP addresses, other
employment status information.

This feature enables unauthorised users more than it enables legitmate users.

I want this feature scraped with immediate effect.

This feature has more harming value to the legitimate owner of the
account than it does help them.

I find myself, if not on a safe computer having to dodge Gmail while
'away' from the safe computer.

Keep the 'Last account activity' feauture for responsible users of
Google Inc and law enforcement know which IP adddresses are being used
with the acocunt, but not to everyone who has account access,
including those who manage to gain access to the account by malicious

This feature could damage relationships, incriminate, pose a national
security issue for those in sensitive jobs.

And if I haven't logged into my account for several days, then it may
also give signs to somebody i'm somewhere im not supposed to be and
raise suspicion amoung spouses, or help the bad guys in some way.

In short, this feature is restricting peoples use of the Gmail
service, not empowering them. Sure it empowers the bad guys, but not
the legimate owner of the account or one of them, who may have access
to the account.

There isn't a feature on the gmail login, that is a check box that
says 'don't show my ip address this session in the last account
activity list' and such a feature would be ridiculous anyway, because
it would be used by the bad guys to hide.

In short, this feature is useless, and there is no work around for
legitmate account holders to withhold their IP address from the 'Last
account activity' feature.

Time to scrap this feature, its full of social flaws, which is only
empowering bad guys.

Move the feature back-end so only Google and law enforcement can know
the 'Last account activity' not, other members of your work force,
your spouse, or random intruders who don't have a law enforcement or
Google maintainence reason for having that sort of IP information.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]