mailing list archives
Re: Google Accounts Security Vulnerability
From: Shreyas Zare <shreyas () secfence com>
Date: Wed, 16 May 2012 01:28:12 +0530
On Wed, May 16, 2012 at 1:02 AM, Thor (Hammer of God)
<thor () hammerofgod com>wrote:
Regardless, if you already know the username and password for the email,
it doesn’t matter anyway no does it? You could always get the mail via
IMAP or POP or whatever options were configured in gmail. There wouldn’t
be any need to go to the web interface in the first place.
The verification process bypassed which the OP is talking about is
basically put in place to protect victims of phishing attacks. The phishing
attacker generally may not be in the same location as that of the victim.
Gmail web interface asks questions (mentioned my OP) so that the attacker
wont just get into the account with stolen credentials. Also note that IMAP
and POP3 can be disabled (dont remember if both are disabled by default).
So this bypass presents an interesting approach to attacker in case of IMAP
(If debugging is the process of removing bugs, then programming must be the
process of putting them in --Edsger Dijkstra)
Sr. Information Security Researcher
Follow me on twitter @shreyasonline <https://twitter.com/#%21/shreyasonline>
Check out Secfence | Blog [http://blog.secfence.com]
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: Google Accounts Security Vulnerability Alex Buie (May 14)