
Google Account Recovery Vulnerability - adamnemecek
http://www.orenh.com/2013/11/google-account-recovery-vulnerability.html
======
oneeyedpigeon
Recently, I decided to follow-up one of the many emails I receive from a
company I've never heard of, implying I have an account with them. I usually
assume they are spam, but this looked like a genuine case of someone
accidentally using my email address and the service not verifying it. Long
story short: via their password recovery, I now have the user's plaintext
password, and several personal details including address, age, phone number,
and mother's maiden name.

I emailed the company (a US mobile phone company I haven't heard of; I'm based
in the UK) and their response was along the lines of "call us (at your
expense) and tell us your phone number and we'll sort it out". In the end, out
of sheer frustration, I reset the account's email address to that of the
company's WHOIS technical contact; that was the safest way I could think of
getting my email address off the account.

Google, of course, handle this kind of thing properly. But for every google,
there are thousands of companies who will give your personal data away without
a care in the world.

~~~
tfgg
I once had someone sign up for an electronic voicemail service with my email
address. I was getting all their voicemail, including once about 50 in the
space of an afternoon from a clearly distressed client of theirs. It took a
very long email chain with customer service explaining that I couldn't log in
to the account to change the email address because I didn't have the password
and the account wasn't mine. A similar thing happened with a Playstation
Network account.

Web developers: Please make sure to include a "Didn't sign up for this? Click
here to disable/unsubscribe" option in sign up emails, rather than assuming
that the person receiving the email is the correct person who knows the
password.

~~~
Pxtl
To be fair, I have accidentally clicked on the "oh yeah, confirm this email
address" when I suddenly realize "no, wait, I created that account with my
_other_ email address... what the heck is this?"

More of a problem with common big-name services like Facebook and Apple ID and
whatnot.

------
WestCoastJustin
Nice write up. While checking to see if Google's "Hall of Fame" [1] was
updated yet, I noticed that their reward program is actually really active.
Here are some stats compiled about the Reward Recipients and Honorable Mention
pages, based off these numbers, they are dolling out a cash reward roughly
every 1.8 days!

    
    
      2013
        197  Reward Recipients [1]
        168  Honorable Mention [2]
    
      2012
        191  Reward Recipients [1]
        147  Honorable Mention [2]
        
      2011
        121  Reward Recipients [1]
         68  Honorable Mention [2]
    
    

[0] [http://www.google.com/about/appsecurity/hall-of-
fame/](http://www.google.com/about/appsecurity/hall-of-fame/)

[1] [http://www.google.com/about/appsecurity/hall-of-
fame/reward/](http://www.google.com/about/appsecurity/hall-of-fame/reward/)

[2] [http://www.google.com/about/appsecurity/hall-of-
fame/distinc...](http://www.google.com/about/appsecurity/hall-of-
fame/distinction/)

~~~
peterwwillis
Back in the day, the "Hall of Fame" for this kind of exploit would be a .txt
file sent to full-disclosure, detailing the exploit and sending "greetz" to
your "crew" (or if you were lucky, posted in a periodical of note like
Phrack).

Now the fix comes out before anyone gets harmed by it, AND the person who
discovered it gets PAID for it. Whoever thought up the rewards program is
keeping people safe and still giving hackers a good reason to keep hacking.
The future is amazing.

------
rallison
I always love reading writeups of these vulnerabilities.

On a related note, I love that bug bounty programs are becoming more popular.
Still too rare, but great. That said, the majority of companies out there
still make reporting vulnerabilities tough. I've reported a number of
vulnerabilities, and all but a few companies had no security@ email address
nor a security contact under Contact Us. The tech/admin contact of the DNS
record often does the trick, but doesn't always work.

Please, companies, make it easier for us to report security vulnerabilities!

~~~
wcummings
The problem is that if someone finds a bug in say, PHP, the exploit could
easily be worth 60-100x the $1500 you'd get paid _when its fixed_.

------
aabalkan
> Google security team acted really fast. This issue was fixed in 10 days.

Wow I couldn't imagine how long a 'slower' response cloud be.

~~~
patio11
I have a remote DOS and possible code execution on one of the world's most
widely deployed desktop applications. Their security team has been on top of
it (got back an initial human response and responsible team member within 48
hours, etc), but the nature of the beast means that all subsequent steps take
weeks to months. I can't remember off the top of my head, but I think we're at
4 months and counting.

~~~
annnnd
Based on the description I think we can safely assume the company name starts
with a letter 'M'. ;)

~~~
patio11
Professional courtesy suggests I should not confirm nor deny that. Let's just
say that AmaGooBookSoft all have surface areas larger than the Death Star, and
it is highly, highly unlikely that any of them have found all the exhaust
ports yet.

~~~
oneeyedpigeon
Hey, I work at AmaGooBookSoft and I resent you calling out our poor security
practices!

------
yeukhon
Very interesting.

> If you rely on CAPTCHA's as CSRF protection, make it consistent.

This was discussed at today AppSecUSA [1] that it is rarely ever seen anyone
use CAPTCHA as CSRF protection.

[1]:
[http://appsecusa2013.sched.org/event/10d6389173e14b246720d83...](http://appsecusa2013.sched.org/event/10d6389173e14b246720d8324ddbcc64?iframe=no&w=100&sidebar=yes&bg=no#.Uo7lm_ZQ2VQ)

~~~
dmak
At first I thought it was odd and weird too. After some more thought, and
correct me if I am wrong, there weren't any differences between them. They
both are tokens that are generated and verified by the server, except a
CAPTCHA actually requires human interaction.

------
nilsjuenemann
Vulnerability Reward Programs are getting more and more popular. @homakov and
@bef0rd made a script for collecting all people listed in a security "Hall of
Fame":

[http://beford.net/hustlers/hustlers.html](http://beford.net/hustlers/hustlers.html)

------
talles
Congrats to the guy that found out. Good job.

------
lhgaghl
such sophisticated recovery process

very bend over to customer who loses pass

so fuck user who retains pass and cares about security

much credible company

cloud wow

2013 very XSS

