[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: [Full-disclosure] [ISecAuditors Security Advisories] Gmail vulnerable to automated password cracking

I understand what you're saying, but you're not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasn't accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. I'm inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmail's implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Here's a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesn't look good when two people are pointing fingers at each other saying "he/she's wrong", and it does sound like Vicente has done some research. It'd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you don't look so arrogant if/when you're wrong.

Kind regards, Sebastian.