Re: Re: [Full-disclosure] [ISecAuditors Security Advisories] Gmail vulnerable to automated password cracking
I understand what you're saying, but you're not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account): i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP. ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP. Once the given IP successfully accesses any gmail account that it hasn't accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically. This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs. On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions). In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. I'm inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmail's implementation, and you decide to come out of denial: i. I would appreciate if you could take issues like this seriously in the future. ii. Here's a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login." You must admit, it doesn't look good when two people are pointing fingers at each other saying "he/she's wrong", and it does sound like Vicente has done some research. It'd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you don't look so arrogant if/when you're wrong. Kind regards, Sebastian.
Re: [Full-disclosure] [ISecAuditors Security Advisories] Gmail vulnerable to automated password cracking
Hi Chris, cev...@google.com wrote: > Hi Vicente, > > As was explained by my colleague Neel Mehta in his reply, this is not > a vulnerability. I must express my disagreement. I consider that if someone can automate the process of password cracking, exist a security problem. I have programmed a Python script that implements the process that I explain in the proof of concept paragraph, and it has allowed me to run thousands of automated requests and obtain the password of one of my test accounts. > Gmail has all sorts of additional limits on password brute forcing. > The confusion here is the difference between "login incorrect" (due to > bad password) and "login incorrect" (due to excessive login attempts). > This protection kicks in after a small number of failed attempts, > after which even correct credentials will not be accepted. You can't > tell the difference in the UI you are using, so it's understandable to > have missed these extra limits. > A malicious user can abuse the feature "Check for mail using POP3" for realize the automatic process of password cracking. As you comment, using this feature exist a lock (for 2 hours) for authentication attempts, and beyond this limit (100 requests) the message returned by the application does not allow to known if the analyzed password is correct or not. However, every 2 hours an attacker could make 100 authentication attempts. To overcome this limit (100 authentication attempts), it is sufficient that the attacker has other Gmail accounts. Each account allows the malicious user to make 100 new auhtentication attempts within 2 hours of the blockade. If the attacker wants to make an authentication attempt by second and to avoid the blockage then will need to make 3600 requests per hour. This requires that the malicious user dispose of 3600/100 = 36 Gmail accounts. As there is a blockage of 2 hours, with 72 Gmail accounts the attacker can reuse the initial account (eg "accoun...@gmail.com") after finishing the 100 authentication attempts with the last Gmail account (eg "accoun...@gmail.com). I hope that I have clarified the matter. Best regards, -- _ Vicente Aguilera Díaz Director Auditoría CISA, CISSP, ITIL CEH Instructor, ECSP Instructor, CSSLP, OPSA, OPST OWASP Spain Chapter Leader vaguil...@isecauditors.com Internet Security Auditors www.isecauditors.com c. Santander, 101. Edif. A. 2º E-08030 Barcelona (Spain) Tel: +34 93 305 13 18 Fax: +34 93 278 22 48 Pº. de la Castellana, 164-166. Entlo. 1ª E-28046 Madrid (Spain) Tel: +34 91 788 57 78 Fax: +34 91 788 57 01 Este mensaje y los documentos que, en su caso lleve anexos, pueden contener información CONFIDENCIAL. Por ello, se informa al destinatario que la información contenida en el mismo es reservada y su uso no autorizado, publicación o difusión, entera o parcialmente, tanto en formato o medio físico como electrónico, sin el previo consentimiento de Internet Security Auditors, está prohibida legalmente. Si ha recibido este correo por error, le rogamos que nos lo comunique por la misma vía o por teléfono (93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. En cumplimiento de la Ley Orgánica 15/1999 de 13 de diciembre de protección de datos de carácter personal, Internet Security Auditors S.L., le informa de que sus datos personales se han incluido en ficheros informatizados titularidad de Internet Security Auditors S.L., que será el único destinatario de dichos datos, y cuya finalidad exclusiva es la gestión de clientes y acciones de comunicación comercial, y de que tiene la posibilidad de ejercer los derechos de acceso, rectificación, cancelación y oposición previstos en la ley mediante carta dirigida a Internet Security Auditors, c. Santander, 101. Edif. A. 2º 1ª, 08030 Barcelona, o vía e-mail a la siguiente dirección de correo: le...@isecauditors.com > > On Fri, Jul 17, 2009 at 2:48 PM, ISecAuditors Security > Advisories wrote: >> = >> INTERNET SECURITY AUDITORS ALERT 2009-NNN >> - Original release date: July 7th, 2009 >> - Last revised: July 17th, 2009 >> - Discovered by: Vicente Aguilera Diaz >> - Severity: 4.5/10 (CVSS Base Score) >> = >> >> I. VULNERABILITY >> - >> Gmail vulnerable to automated password cracking. >> >> II. BACKGROUND >> - >> Gmail is Google's free webmail service. It comes with built-in Google >> search technology and over 7,300 megabytes of storage (and growing >> every day). You can keep all your important messages, files and >> pictures forever, use search to quickly and easily find anything >> you're looking for, and make sense of it all with a new way of viewing >> messages as part of conversations. >> >> III. DESCRIPTION >> - >> An existing abuse
Re: [Full-disclosure] [ISecAuditors Security Advisories] Gmail vulnerable to automated password cracking
Hi Vicente, As was explained by my colleague Neel Mehta in his reply, this is not a vulnerability. Gmail has all sorts of additional limits on password brute forcing. The confusion here is the difference between "login incorrect" (due to bad password) and "login incorrect" (due to excessive login attempts). This protection kicks in after a small number of failed attempts, after which even correct credentials will not be accepted. You can't tell the difference in the UI you are using, so it's understandable to have missed these extra limits. Thanks for taking the trouble to contact us, though. Chris Evans, Google Security Team On Fri, Jul 17, 2009 at 2:48 PM, ISecAuditors Security Advisories wrote: > = > INTERNET SECURITY AUDITORS ALERT 2009-NNN > - Original release date: July 7th, 2009 > - Last revised: July 17th, 2009 > - Discovered by: Vicente Aguilera Diaz > - Severity: 4.5/10 (CVSS Base Score) > = > > I. VULNERABILITY > - > Gmail vulnerable to automated password cracking. > > II. BACKGROUND > - > Gmail is Google's free webmail service. It comes with built-in Google > search technology and over 7,300 megabytes of storage (and growing > every day). You can keep all your important messages, files and > pictures forever, use search to quickly and easily find anything > you're looking for, and make sense of it all with a new way of viewing > messages as part of conversations. > > III. DESCRIPTION > - > An existing abuse of functionality in the "Check for mail using POP3" > capability permits automated attacks to the password data of the > accounts of the Gmail users evading the security measures adopted by > Google. > > Gmail implements a great number of security controls and, most of them > are not revealed until an attack is conducted or a malicious use of > the account is done. For example: > - Use of catpcha for avoiding automated processes (e.g., in the users > authentication or in the new users sign up). > - Temporary IP locking in case of detecting unusual application > activities (e.g., multiple new account creation requests) > - Temporary account locking in case of detecting unusual use of the > user account (e.g., when doing multiple consecutive request to the > same resource). > - Detection of concurrent access to the account from different > geolocated IP addresses added to the number of these accesses. > - Etc. > > Anyway, is it possible to abuse the "Check for mail using POP3" > capability to do attacks to the passwords of the users in an automated > way, evading all referred security restrictions and controls and doing > a transparent and not noticeable attack to the user that its account > is being password cracked as: > - There's no need for required action from the victim. > - There's no modification in the password of the victim. > - There's no locking in the victim account. > - There's no security notification to the victim. > > The vulnerability is aggravated due Gmail allows weak passwords to be > used by the users. So, Gmail accepts password using only one character > (e.g. "") or dictionary words (e.g. "pentagon" or "computer"). > > The abuse of this functionality permits an attacker to do thousands of > authentication requests during a day over one user account, so if the > user is using a weak password is a matter of time to guess to have > access to the mail account. > > IV. PROOF OF CONCEPT > - > As only requirement, the attacker needs a real Gmail account, but > that's not a real limitation as service is for free. > > After being authenticated, the attacker access to the option "Accounts > and import". From this tab access to "Add POP3 mail account". To add a > new account the attacker news to fill: > -User name: will be the victim email address, including "@gmail.com" > (e.g. vic...@gmail.com). > -Password: will be the password related to the previously informed user. > -POP3 server and port: could be simply "pop.gmail.com" and the 995 port. > > When asking for the new email account to be added some different > scenarios can happen: > 1. The application returns the message "The server has denied the > POP3 access to this username and password". This possibility happens > when the username do not exists or the password is incorrect. > > 2. The application returns the message "Now you can recover the > messages of this account". This other possibility happens when the > authentication has succeeded. So, the attacker informed correctly the > password to this user. > > 3. The application returns the message "You have reached the maximum > number of accounts allowed". This situation appears after adding more > than 5 email accounts or after doing 100 requests (successfully or > not) for adding a new account. Is important to notice that, after the > 100 attempts, the user must wait f