[ISecAuditors Security Advisories] Gmail vulnerable to automated password cracking

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-NNN
- Original release date: July 7th, 2009
- Last revised:  July 17th, 2009
- Discovered by: Vicente Aguilera Diaz
- Severity: 4.5/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Gmail vulnerable to automated password cracking.

II. BACKGROUND
-------------------------
Gmail is Googles free webmail service. It comes with built-in Google
search technology and over 7,300 megabytes of storage (and growing
every day). You can keep all your important messages, files and
pictures forever, use search to quickly and easily find anything
youre looking for, and make sense of it all with a new way of viewing
messages as part of conversations.

III. DESCRIPTION
-------------------------
An existing abuse of functionality in the "Check for mail using POP3"
capability permits automated attacks to the password data of the
accounts of the Gmail users evading the security measures adopted by
Google.

Gmail implements a great number of security controls and, most of them
are not revealed until an attack is conducted or a malicious use of
the account is done. For example:
- Use of catpcha for avoiding automated processes (e.g., in the users
authentication or in the new users sign up).
- Temporary IP locking in case of detecting unusual application
activities (e.g., multiple new account creation requests)
- Temporary account locking in case of detecting unusual use of the
user account (e.g., when doing multiple consecutive request to the
same resource).
- Detection of concurrent access to the account from different
geolocated IP addresses added to the number of these accesses.
- Etc.

Anyway, is it possible to abuse the "Check for mail using POP3"
capability to do attacks to the passwords of the users in an automated
way, evading all referred security restrictions and controls and doing
a transparent and not noticeable attack to the user that its account
is being password cracked as:
- Theres no need for required action from the victim.
- Theres no modification in the password of the victim.
- Theres no locking in the victim account.
- Theres no security notification to the victim.

The vulnerability is aggravated due Gmail allows weak passwords to be
used by the users. So, Gmail accepts password using only one character
(e.g. "aaaaaaaa") or dictionary words (e.g. "pentagon" or "computer").

The abuse of this functionality permits an attacker to do thousands of
authentication requests during a day over one user account, so if the
user is using a weak password is a matter of time to guess to have
access to the mail account.

IV. PROOF OF CONCEPT
-------------------------
As only requirement, the attacker needs a real Gmail account, but
thats not a real limitation as service is for free.

After being authenticated, the attacker access to the option "Accounts
and import". From this tab access to "Add POP3 mail account". To add a
new account the attacker news to fill:
 -User name: will be the victim email address, including "@gmail.com"
(e.g. victim@gmail.com).
 -Password: will be the password related to the previously informed user.
 -POP3 server and port: could be simply "pop.gmail.com" and the 995 port.

When asking for the new email account to be added some different
scenarios can happen:
 1. The application returns the message "The server has denied the
POP3 access to this username and password". This possibility happens
when the username do not exists or the password is incorrect.

 2. The application returns the message "Now you can recover the
messages of this account". This other possibility happens when the
authentication has succeeded. So, the attacker informed correctly the
password to this user.

 3. The application returns the message "You have reached the maximum
number of accounts allowed". This situation appears after adding more
than 5 email accounts or after doing 100 requests (successfully or
not) for adding a new account. Is important to notice that, after the
100 attempts, the user must wait for 2 hours.

 Using this, an attacker is able to do 100 attempts of authentication
each 2 hours (so 1.200 attempts each day).

 Is very important to retain that those requests do not require any
kind of catpcha and can be done automatically knowing only the key
parameters of the request:

  -ik: alphanumeric id associated to the user and transmitted through
   GET request.
  -GMAIL_AT: is an alphanumeric value associated to the user and
   transmitted in the cookie. It is only known after authentication
   and starts with characters "xn3j3".
  -GX: alphanumeric value associated to the user and transmitted in
   the cookie. It is only known after authentication.
  -ui: numeric value. Can be fixed to value "2" (default value) and is
   transmitted via GET.
  -view: string value. Can be fixed to string "ma" (default value) and
   is transmitted via GET.
  -map: numeric value. Can be fixed to value "2" (default value) and
   is transmitted via POST.
  -ma_email: email address of the account to be added. Would match to
   the victim email address and is transmitted via POST.
  -mapc: boolean value. Can be fixed to value "true" (default value)
   and is transmitted via POST.
  -mapp: numeric value. Can be fixed to value "1" (default value) and
   is transmitted via POST.
  -mabb: this parameter can be nul (default value) and is transmitted
   via POST.
  -at: is the alphanumeric value associated to the user that must
   match with be value of the variable GMAIL_AT previously explained.
   This value is transmitted via POST.
  -ma_user: email address of the account from which the new email
   address wanted be added. Is the attacker email address and is
   transmitted via POST.
  -ma_pwd: password to be used for the victim account. Is transmitted
   via POST.
  -ma_host: IP address of the POP3 server. Can be fixed to value
   "pop.gmail.com" and is transmitted via POST.
  -ma_host_sel: IP address of the POP3 server. Can be fixed to value
   "pop.gmail.com" and is transmitted via POST.
  -ma_port: is the value of the port of the POP3 server. Can be fixed
   to value "995" (defalt value) and is transmitted via POST.
  -ma_ssl: can be fixed to string "on" (default value) and is
   transmitted via POST.
  -ma_lbl: is the name of the label that will be used for labelling
   incoming emails. Can be fixed to the victim email address (default
   value) and is transmitted via POST.

Summarizing, the POST request for the authentication attack would be
like this:

POST http://mail.google.com/mail/?ui=2&ik=<ik_value>&view=ma HTTP/1.1
Cookie: GX=<GX_value>;  GMAIL_AT=<GMAIL_AT_value>
map=2&ma_email=<victim_email>&mapc=true&mapp=1&mabb=&at=<at_value>&ma_user=<attacker_email>&ma_pwd=<victim_pwd>&ma_host=pop.gmail.com&ma_host_sel=pop.gmail.com&ma_port=995&ma_ssl=on&ma_lbl=<email_victim>

To bypass the limitation of 1.200 requests per day it is only
necessary to have different Gmail accounts. Each new account means 100
new possible requests. If the attacker wants to do a request each
second, means 7.200 attempts each two hours, the only need is to have
72 accounts. This would mean 86.400 request/day. More requests only
need more accounts.

As the Gmail account creation is a manual process as it needs to pass
the captcha. Another limitation is that Google only permits the
creation of 10 new accounts creation per day from the same IP address,
but using proxies or Tor network would bypass this limitation. Anyway,
although the creation of N accounts, those could be used anytime for
password cracking accounts.

V. BUSINESS IMPACT
-------------------------
Capability of unlimited password cracking Gmail user accounts.
Selective DoS on users of the Gmail service (changing user password).

VI. SYSTEMS AFFECTED
-------------------------
Gmail service.

VII. SOLUTION
-------------------------
Implement better and homogeneous anti password cracking controls.
No solution addopted by vendor.
So, use strong passwords.

VIII. REFERENCES
-------------------------
http://mail.google.com
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
July  07, 2009: Initial release.
July  13, 2009: Minor revision.
July  17, 2009: Last update.

XI. DISCLOSURE TIMELINE
-------------------------
July  05, 2009: Discovered by Internet Security Auditors.
July  13, 2009: Gmail security team contacted.
July  15, 2009: Request for confirmation of reception and analysis.
July  17, 2009: Answer from Google telling 100 attemp control limit is
                enough robust, although the advisory poc shows how to
                evade this weak security control.
                Publication of the advisory in the lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.


Replies to this exploit:

From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.


From: admin@geekycode.net
Sent: Tue 21. Jul 2009 14:38
I understand what youre saying, but youre not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.

Once the given IP successfully accesses any gmail account that it hasnt accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.

This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.

On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).

In your opinion, Vicente, this is an exploit because it allows the attacker to bypass security features. Im inclined to agree. In fact, I believe it fits pretty smugly into the "horizontal privilege escalation" category. Chris, if this is indeed the behaviour of gmails implementation, and you decide to come out of denial:
i. I would appreciate if you could take issues like this seriously in the future.
ii. Heres a solution: block POP access to a given account after 100 unsuccessful attempts in 2 hours, regardless of IP address (or unrelated successful authentications) and force image verification for that account for the next 2 hours. Give a meaningful error like "Too many unsuccessful attempts have been made to this account. Please use webmail to login."

You must admit, it doesnt look good when two people are pointing fingers at each other saying "he/shes wrong", and it does sound like Vicente has done some research. Itd pay to revise the algorithm(s) involved, in greater depth. That way, you either clear yourself or you dont look so arrogant if/when youre wrong.

Kind regards, Sebastian.