Google Blogoscoped

Forum

Possible Google Account loophole reported

Juha-Matti Laurio [PersonRank 10]

Wednesday, May 28, 2008
11 years ago4,290 views

This information related to error messages generated after typing wrong captcha recognition or wrong password has been posted to Full-Disclosure security mailing list recently:

lists.grok.org.uk/pipermail/fu ...

Tony Ruscoe [PersonRank 10]

11 years ago #

That's an excellent point if it's correct. This had actually crossed my mind before when I had to enter a captcha but I never bothered to go through the various combinations.

Rohit Srivastwa [PersonRank 10]

11 years ago #

Its correct.
I tried and is working as explained and is scary.

Good find

/pd [PersonRank 10]

11 years ago #

Juha-Matti Laurio, I wonder if Cryptreaper had went thru with the protocol of contacting vendor before getting into FD mode. Responsible discoulsures is an art by itself!!

David Mulder [PersonRank 10]

11 years ago #

Still it would take ages to bruteforce most modern passwords... so I wouldn't call it scary, its just a stupid (not too dangerous) design mistake...

TOMHTML [PersonRank 10]

11 years ago #

I think if you load too many pages too quickly, Google will block your access to its domain.
So, I suppose, bruteforce is nearly impossible with Google.

Philipp Lenssen [PersonRank 10]

11 years ago #

Did you test that? If so, what if the abuser uses some distributed system with different IPs?

TOMHTML [PersonRank 10]

11 years ago #

different IP is a good idea.

But I've tested that some months ago by accident. We were at university with my classmates, modifying computers, when we had to send a mail to our teacher. But the keyboard was QWERTY (and not French AZERTY), so many people failed to enter their password of their Gmail account. Then, during 30 minutes, there was a message "we have detected a spyware on your computer which makes too many request, please try again later".

Juha-Matti Laurio [PersonRank 10]

11 years ago #

To pd: I believe that Cryptreaper has not contacted the vendor.
I'm not sure about that. However, it was not posted to moderated Bugtraq list at all.

Tony Ruscoe [PersonRank 10]

11 years ago #

<< I think if you load too many pages too quickly, Google will block your access to its domain. >>

I don't think that happens on the standard Google Account login page...

TOMHTML [PersonRank 10]

11 years ago #

So, according to you, Google would block dude who loads 30 SERPs/minute, but not the one trying 100 bad passwords/minute?
That's not security, it's stupidity.

Tony Ruscoe [PersonRank 10]

11 years ago #

Not necessarily. Google could (and probably does) block users for too many attempted logins but not for simple page requests. So "if you load too many pages too quickly" (as you said) Google wouldn't necessarily block you.

TOMHTML [PersonRank 10]

11 years ago #

If often happen in schools, colleges, etc. Because students perform too many searches.


mydigitallife.info/wp-content/ ...

Tony Ruscoe [PersonRank 10]

11 years ago #

Yep. I've seen it happen for me when I've been refining my search queries too.

Juha-Matti Laurio [PersonRank 10]

11 years ago #

When the weekend is over soon there are no replies posted to Full-Disclosure list.

Stephen Tordoff [PersonRank 10]

11 years ago #

This appears to be fixed. With or without my correct password, I get:

"Enter the correct password above and then type the characters you see in the picture below."


"Enter the letters as they are shown in the image above"

Martin Porcheron [PersonRank 10]

11 years ago #

<<Because students perform too many searches.>>
Our entire county is on one ISP, on the hour every hour, Google starts getting difficult.

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!