A post on the Full Disclosure mailing list this afternoon might offer a look into how Hacker Croll was able to crack the accounts that were compromised during the Twitter attack. According to an advisory from ISecAuditors, it is possible to circumvent the security measures used by Google that prevents an attacker from using automated password cracking attempts.
The ISecAuditors advisory points out that by using the “Check for mail using POP3” feature in GMail, an attacker can launch automated cracking attempts, which will bypass Google’s defenses, including CATPCHA protections, IP locking, account locking, and detection of “of concurrent access to the account from different geo-located IP addresses added to the number of these accesses.”
What this means is an attacker could automate password guessing on a targeted GMail account and make up to 7,200 attempts every two hours. “To bypass the limitation of 1.200 requests per day it is only necessary to have different Gmail accounts. Each new account means 100 new possible requests. If the attacker wants to do a request each second, means 7.200 attempts each two hours, the only need is to have 72 accounts. This would mean 86.400 request[per day]. More requests only need more accounts,” the advisory warns.
“As the Gmail account creation is a manual process as it needs to pass the CAPTCHAs. Another limitation is that Google only permits the creation of 10 new accounts creation per day from the same IP address, but using proxies or Tor network would bypass this limitation. Anyway, although the creation of N accounts, those could be used anytime for password cracking accounts.”
While Google warns users about weak passwords, it is still possible to use them, so the automated cracking process is compounded by users who have GMail accounts that use passwords located in dictionaries or passwords that are commonly used.
Considering that Hacker Croll never said how the compromised Twitter accounts were accessed, it is possible that the measures described in the ISecAuditors advisory played a role in the attack. There is no tangible proof of this, but you can certainly see how it could happen. Based on the advisory, the only protection from this level of attack is a seriously strong password. Using the offered options from Google in the Google Apps program will augment protections, but the key is a strong password.
The full advisory is here, and it contains a detailed proof-of-concept for the attack process.
Another interesting part to the advisory is Google’s response. According to the advisory’s timeline, “Answer from Google telling 100 attempt control limit is enough robust, although the advisory POC shows how to evade this weak security control.”
It is because of that response from Google that ISecAuditors released their information.
The Tech Herald: Twitter's recent jaunt in the news kicks off security debate
The Tech Herald: Should TechCrunch publish stolen information?