Thursday, September 5, 2013

Your Gmail Account Can Be Owned IF...

Heyya..wassup..here's another sharing from me.

This issue was found accidentally when I tried to make a testing Gmail account..from that event, I noticed that, your Gmail can be owned EASILY without any technical skill needed.

Before proceed with the full disclosure, two questions for you.
1 - Did you used your gmail in a shared network? (internal office,internet cafe,airport wifi,hotel,others?)
Image from www.itp.net

2 - Did you forgot to enable your 2nd authentication or security question?
Image from http://sondreb.com


If your answer for both of these questions is YES, just keep calm and rilex when your account got compromised. Is this a bug?An issue? In Google's Security Team opinion, NO. This is what Google use for their account recovery process.

Proof of Concept
paswedtest@gmail.com was created without any security question. In a same network with an attacker (***@gmail.com), this guy logged into his Gmail.



So what happen when you logged into your account? See below.


Is this related? Yeah. Lets check when we try to recover an account.


Above is the first hint. Recover using your recent device..so, is it possible to recover an account using a HP computer when I was logged using ACER computer yesterday?? YES. The recovery process never check on the device, but the truth is they check on the User-Agent. (based on few testing by me and my friends) 

Lets proceed.


Put our email (where we want the recovery link send to) as shown above. Do it need to be related with the account? NO.


auw crap!! I dont know any of these! Read the statement, you dont need the answer. Just close your eyes and put it randomly. The process would not check on it at all!


Auww!! another crap! Guy,chillex..Just choose "Skip these questions". This section is just for decoration.


This? Another decoration. No need to fill them. Just submit. But wait! Look on the half-blur text..something related with IP..yeah..this recovery need the IP. So is it necessary to use the same IP used during login? (e.g. 1.1.1.1).. from our testing, it can be recovered in 1.1.1.2, 1.1.1.99 too as long it still under a same segment.


Easy? Yeah so easy :)

For those using a shared network (school,library,hotel,airport,cafe,office,etc)..Good luck with your hunting


Owh wait. Did I report this to Google Team? Yes. Their response(s)




chio!