Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Google Accounts Security Vulnerability
From: Ferenc Kovacs <tyra3l () gmail com>
Date: Tue, 15 May 2012 21:46:23 +0200

I don't know much about the verification mentioned here, but google/gmail
has a 2-step verification, which solves the problem a little bit better imo.
When you try to log in from a new computer you will be prompted for a code
which is sent via sms to your phone.
And that is the only place where you can log in with your google user+pass,
every other application requires an application specific password, which
can be only generated after you successfully log in into the web
interface(with an exception: I remember that trying to add my google
account to my android phone triggered an application specific password to
be sent via sms)..
So if the 2-step verification is turned on, you won't compromise your
account instantly, the attacker has to have access either to your phone, or
a device which is already on your trusted device list..
On Tue, May 15, 2012 at 9:32 PM, Thor (Hammer of God)
<thor () hammerofgod com>wrote:

 Logging on to IMAP mail as one would be doing hundreds of times per day
is not going to reset the web cookie.  If that is what the OP is reporting,
I would have to question if his recollection is correct since, by that
logic, the password reset feature would never be activated since any other
IMAP logon would clear it.  ****

** **

If the user logged in, and was presented with the questions as stated,
then it probably cleared any requirement since he would have to accept
that.  Unless he is saying that when presented with the questions he
purposefully did not put them in and tried to logon to IMAP which I find

** **

Regardless, if you already know the username and password for the email,
it doesn’t matter anyway no does it?  You could always get the mail via
IMAP or POP or whatever options were configured in gmail.  There wouldn’t
be any need to go to the web interface in the first place.   ****

** **

Now that I know I’m not missing anything, I’ll just let this one die on
the vine. ****


Ferenc Kovács
@Tyr43l - http://tyrael.hu
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]