Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Google Accounts Security Vulnerability
From: Shreyas Zare <shreyas () secfence com>
Date: Wed, 16 May 2012 01:28:12 +0530

On Wed, May 16, 2012 at 1:02 AM, Thor (Hammer of God)
<thor () hammerofgod com>wrote:

 Regardless, if you already know the username and password for the email,
it doesn’t matter anyway no does it?  You could always get the mail via
IMAP or POP or whatever options were configured in gmail.  There wouldn’t
be any need to go to the web interface in the first place.


The verification process bypassed which the OP is talking about is
basically put in place to protect victims of phishing attacks. The phishing
attacker generally may not be in the same location as that of the victim.
Gmail web interface asks questions (mentioned my OP) so that the attacker
wont just get into the account with stolen credentials. Also note that IMAP
and POP3 can be disabled (dont remember if both are disabled by default).
So this bypass presents an interesting approach to attacker in case of IMAP
being enabled.


(If debugging is the process of removing bugs, then programming must be the
process of putting them in --Edsger Dijkstra)

Shreyas Zare
Sr. Information Security Researcher
Secfence Technologies

Follow me on twitter @shreyasonline <https://twitter.com/#%21/shreyasonline>

Check out Secfence | Blog [http://blog.secfence.com]
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]