The Tech Herald

Possible link to Twitter hack – GMail vulnerable to password cracking

by Steve Ragan - Jul 17 2009, 22:38

A post on the Full Disclosure mailing list this afternoon might offer a look into how Hacker Croll was able to crack the accounts that were compromised during the Twitter attack. According to an advisory from ISecAuditors, it is possible to circumvent the security measures used by Google that prevents an attacker from using automated password cracking attempts.

The ISecAuditors advisory points out that by using the “Check for mail using POP3” feature in GMail, an attacker can launch automated cracking attempts, which will bypass Google’s defenses, including CATPCHA protections, IP locking, account locking, and detection of “of concurrent access to the account from different geo-located IP addresses added to the number of these accesses.”

What this means is an attacker could automate password guessing on a targeted GMail account and make up to 7,200 attempts every two hours. “To bypass the limitation of 1.200 requests per day it is only necessary to have different Gmail accounts. Each new account means 100 new possible requests. If the attacker wants to do a request each second, means 7.200 attempts each two hours, the only need is to have 72 accounts. This would mean 86.400 request[per day]. More requests only need more accounts,” the advisory warns.

“As the Gmail account creation is a manual process as it needs to pass the CAPTCHAs. Another limitation is that Google only permits the creation of 10 new accounts creation per day from the same IP address, but using proxies or Tor network would bypass this limitation. Anyway, although the creation of N accounts, those could be used anytime for password cracking accounts.”

While Google warns users about weak passwords, it is still possible to use them, so the automated cracking process is compounded by users who have GMail accounts that use passwords located in dictionaries or passwords that are commonly used.

Considering that Hacker Croll never said how the compromised Twitter accounts were accessed, it is possible that the measures described in the ISecAuditors advisory played a role in the attack. There is no tangible proof of this, but you can certainly see how it could happen. Based on the advisory, the only protection from this level of attack is a seriously strong password. Using the offered options from Google in the Google Apps program will augment protections, but the key is a strong password.

The full advisory is here, and it contains a detailed proof-of-concept for the attack process.

Another interesting part to the advisory is Google’s response. According to the advisory’s timeline, “Answer from Google telling 100 attempt control limit is enough robust, although the advisory POC shows how to evade this weak security control.”

It is because of that response from Google that ISecAuditors released their information.

The Tech Herald: Twitter's recent jaunt in the news kicks off security debate

The Tech Herald: Should TechCrunch publish stolen information?

Around the Web

Comment on this Story

comments powered by Disqus


Chevrolet shows off the 2015 Colorado with digital experience

Chevrolet has launched a new website to show buyers all the bells and whistles available on ...

Mazda to debut CX-3 and MX-5 at Los Angeles Auto Show

Mazda has announced plans to premiere the new Mazda CX 3, its new compact crossover SUV, at ...

Ford issues safety recall for 204,448 Ford Edge and Lincoln MKX

Ford has issued a safety recall for 204,448 of the 2007-2008 Ford Edge and Lincoln MKX in No...

Mopar Previews SEMA Custom Rides

We have added a set of pictures released by Mopar ahead of the SEMA Show. Mopar are bri...

Audi R8 Competition – The Most Powerful Production Audi Ever

Audi has revealed details of their new super-fast Audi R8 Competititon — the most powerful a...