[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Google Accounts Security Vulnerability

To: Mike Hearn <hearn@xxxxxxxxxx>
Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability
From: Michael Gray <mgray@xxxxxxxxxxxx>
Date: Thu, 17 May 2012 08:29:38 -0700

Regardless of how you say it works, I can bypass it every time it would
seem. Again, by using the method in my original post. It's likely you have
a bug if this isn't the functionality you're after.

I appreciate the statistics but they mean little to me.

Thank you for taking the time to respond. I hope my suggestions and
findings will assist you in correcting these issues
On May 17, 2012 5:51 AM, "Mike Hearn" <hearn@xxxxxxxxxx> wrote:

> I understand your concerns, however they are not valid. You can be
> assured of the following:
>
> 1) We do not see this system as a replacement for passwords. If we
> block a login the user is notified and asked if it was them, if it
> wasn't we ask them to pick a new password. In very high confidence
> cases we will immediately force the user to choose a new password,
> because passwords are still the first line of defense.
>
> 2) We do not see this system as a replacement for 2-factor
> authentication. However the reality is that the vast majority of our
> users do not use 2-factor authentication and this is unlikely to
> change any time soon. 2SV imposes a significant extra burden on the
> user such that despite heavy promotion many users refuse to sign up,
> and of those that do, many choose to unenroll shortly afterwards.
> Therefore we also provide this always-on best effort system as well.
>
> 3) In fact it is very effective at stopping the large, botnet driven
> types of attacks we see on a daily basis and so saying it doesn't add
> any security is wrong. Since going live the system has successfully
> defended tens of millions of users who have a compromised password. A
> single unrepresentative data point based on one account isn't enough
> for you to judge the utility of the system, whereas we can clearly see
> the stopped campaigns (and drop in number of attempts).
>
> That said, if you have friends and relatives who use Google and you'd
> like to to make them more secure, by all means encourage them to set
> up two-factor authentication.
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Google Accounts Security Vulnerability
  - From: Mike Hearn

References:
- Re: [Full-disclosure] Google Accounts Security Vulnerability
  - From: Mike Hearn
- Re: [Full-disclosure] Google Accounts Security Vulnerability
  - From: Michael J. Gray
- Re: [Full-disclosure] Google Accounts Security Vulnerability
  - From: Mike Hearn

Prev by Date: Re: [Full-disclosure] Google Accounts Security Vulnerability
Next by Date: [Full-disclosure] Vulnerabilities on Cryptographp
Previous by thread: Re: [Full-disclosure] Google Accounts Security Vulnerability
Next by thread: Re: [Full-disclosure] Google Accounts Security Vulnerability
Index(es):
- Date
- Thread