mailing list archives
Google Accounts Security Vulnerability
From: "Michael J. Gray" <mgray () emitcode com>
Date: Sat, 12 May 2012 04:22:30 -0700
Effective since May 1, 2012.
Products Affected: All Google account based services
Upon attempting to log-in to my Google account while away from home, I was
presented with a message that required me to confirm various details about
my account in order to ensure I was a legitimate user and not just someone
who came across my username and password. Unable to remember what my phone
number from 2004 was, I looked for a way around it.
The questions presented to me were:
Complete the email address: a******g () gmail com
Complete the phone number: (425) 4**-***7
Since this was presented to me, I was certain I had my username and password
From there, I simply went to check my email via IMAP at the new location.
I was immediately granted access to my email inboxes with no trouble.
From there, I attempted to log-in to my Google account with the same
username and password.
To my surprise, I was not presented with any questions to confirm my
This completes the steps required to bypass this account hijacking
This just goes to show that even the largest corporations that employ teams
of security experts, can also overlook very simple issues.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Google Accounts Security Vulnerability Michael J. Gray (May 12)