[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re: [Full-disclosure] [ISecAuditors Security Advisories] Gmail vulnerable to automated password cracking
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: Re: [Full-disclosure] [ISecAuditors Security Advisories] Gmail vulnerable to automated password cracking
- From: admin@xxxxxxxxxxxxx
- Date: 21 Jul 2009 14:38:57 -0000
I understand what you're saying, but you're not so good at explaining things
like this in a clear manner. What I understand from reading your studies, is
that gmail implements one of two (or possibly both) systems where
authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2
hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour
period are made, regardless of IP.
Once the given IP successfully accesses any gmail account that it hasn't
accessed in the last 2 hours, the blockade is apparently removed (for all given
IPs/accounts). If this is correct, then there is a problem because the
unsuccessful attempt count can be reset automatically.
This has been done incorrectly time and time again. Take MSN Messenger for
example: a denial of service attack is (or once was) present because access to
the given account was blocked for all IPs.
On the other hand, if the restriction only results in access to IP addresses
being denied, then you better watch out for those people with 50,000 drone
botnets because they can make 200 * 50k attempts per hour (under ideal
conditions).
In your opinion, Vicente, this is an exploit because it allows the attacker to
bypass security features. I'm inclined to agree. In fact, I believe it fits
pretty smugly into the "horizontal privilege escalation" category. Chris, if
this is indeed the behaviour of gmail's implementation, and you decide to come
out of denial:
i. I would appreciate if you could take issues like this seriously in the
future.
ii. Here's a solution: block POP access to a given account after 100
unsuccessful attempts in 2 hours, regardless of IP address (or unrelated
successful authentications) and force image verification for that account for
the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts
have been made to this account. Please use webmail to login."
You must admit, it doesn't look good when two people are pointing fingers at
each other saying "he/she's wrong", and it does sound like Vicente has done
some research. It'd pay to revise the algorithm(s) involved, in greater depth.
That way, you either clear yourself or you don't look so arrogant if/when
you're wrong.
Kind regards, Sebastian.