Gmail SMS Verfication loophole exposed by HackingLoops
Hello friends, so first day of new year almost comes to an end, :P and we all are safe (some rumors were there that world gonna destroyed in 2012). HackingLoops is dedicating 2012 to online and web security i.e. exposing the loopholes and either fixing them or asking web masters to get it fixed.
Note: If any Google guy is reading this, please raise a CR(change request) to get it fixed as soon as possible.
Gmail is world most famous free email service and its a prominent part of Google but they always pay attention when i expose their loopholes. Like i previously did for GX cookie loophole, which make the hackers to own the users Gmail account from cookies. But Google reaction was quick and they fixed that just 4 business days after i exposed it but that was the temporary solution, they have taken more than month to completely fixed that. So friends, lets me explain you where i have found the new bug, may be all of you know that because its too common service. But you might have missed that. So i will expose it today, so that Google will fix it as soon as possible.
|Gmail Mobile verification Loopholes|
Actually this is not one loophole, there are two big loopholes in SMS verification that i have discovered in Gmail SMS verification and password reset method. So friends from which i start, dangerous one first or mild one first.
ok..ok.. lets save the best one for last.
1. Mobile number as optional Field
As far as i know security norms, Google should make the mobile phone verification mandatory at least at the time of creation of new Gmail account. Following are the benefits of that:
a. Tracing a user will be easier: Hackers uses anonymous or fake Gmail accounts to get keylogger logs and sending fake emails to users. If we have mobile number of the Gmail account user, we can trace him back in just a manner of few seconds.
b. Mobile number and its location should be validated using the Google maps and IP address used for registering the Email account: Hackingloops is suggesting this because as a hacker, i always try to create a spoof account in which almost every detail is wrong. So for complete traceability, it should be validated geographically. I think its not that tough for cool coders to code that stuff.
This loophole is just a minor in its category but it will prove its worth, when some hacker tries to hack anything serious by using a anonymous Gmail account. If Google realizes these things earlier then they can surely put a track on malicious users and can monitor their day to day activity. But as i said until i wont expose the things, they will not fix it. I know everything is not perfect but as a Internet Giant, you guys should be perfect.
2. Forgot Password SMS verification code message
This is extremely dangerous loophole and can be greatly exploited using the Social Engineering technique. Two to three days back, i was talking with one of my client, he was explaining me that his Gmail account has been hacked. He told me that he is aware of all these techniques like Key stroke logging or Phishing that hackers use to hack the email accounts. Below is the scenario between Hackingloops client(Rahul das, works in software firm) and me(Lokesh Singh) explained to me:
Client: My Gmail account has been hacked.
Me(Lokesh): Have you got any email.
Client : Yes, i daily get lot of emails.
Me: I mean any suspicious or unsolicited or Lottery Prize email.
Client : Yes, lot of such emails but i never open any such email and also i haven't open any link from my email.
Me: Ok. Its nice that you are aware of these stuff. May be you have installed some new application or software in your PC or have your hands on some hack tool.
Client: No, i haven't installed anything from last few weeks.
Me: Ok. Then for sure you might have signed up for some new website.
Client : Yes, i signed on one website yesterday and after that only i am unable to login into my account. But i haven't used the same password there that i use for my Gmail.
Me: ok, tell me from where you got to this site means do you find that from Google or somebody has referred that to you.
Client : Yeah, one person having email ID something like email@example.com has told me about that site. But today that site is also down.
Me: What was website name.
Client: Something like make money by displaying adds on your website.
Me: ok. Do you know the guy with Email firstname.lastname@example.org. means he is friends of your's.
Client: No, i just got his Gtalk invitation, a day back. But i have talked with him personally and he was saying "You will get 50% of my Google Adsense revenue every article you write on my website"
Me: OK, can tell me did he asked anything special like some registration or mobile verification code or anything similar.
Client: Yes, he told me that you will get a Verfication code from Google on your Mobile, that you need to provide me so that i can attach you with my Google Adsense account.
Me: Can you forward me that message.
Now friends, what will be my reaction after seeing that message.. __|__ fk... what the hell... Message was saying "Your Google Verification code is 516826". Now anyone of you guessed it... when we get this message.
ok...ok... i give you time to guess... did you all got it... no...ok.. i will tell you..
Its a Google Verification code which you get when you select FORGOT PASSWORD option and then enters your mobile number to get the password reset code...
This is really a dangerous Loophole...Isn't it ... anybody can be fooled using this trick...
If any Gmail or Google employee or staff member is reading it, please ask your boss to raise a change request for this.
Ok..ok.. i make the situation even more worse... Now hacker has resetted my clients passwords, but he was more smarter than i thought....What he has done he changed all recovery options, even the mobile number. Now my client has no chance to get his credentials back. But it was my clients luck that he told me about the scenario and he got his account back and hacker asked sorry for his activites.. :P I hacked the hackers system(PC) using his IP address which i got through readnotify. I will explain that procedure later someday, because its unethical to hack someone...
Lets concentrate on loophole, now consider my point:
Don't you think the password reset message should contain the text password reset code is blah blah... I had never thought of such scenario can happen and anybody can exploit this loophole to that extent. Google guys correct these bugs, this doesn't cost you much but a email account costs much for the user who is having a blind faith on you Guys.
Some suggestions by HackingLoops:
1. For Gmail Password Reset:
The message can be something like
" Dear Gmail User(Name),Your Gmail Password reset verification code is 123456"
"Dear user,You have requested a password reset for your Google account (email). Your verification code is 123456".
I think both of them are less than 160 chars and can be easily sent to user and :P can be easily configured in Google SMS module.
2. If Google doesn't want to change much of their functionality, then you can use something like:
Dear user(name),You have requested a Password Reset verification code for account(email). Your code is 123456".
I think friends, you all have recognized what the loopholes are, and surely some of Google Guy must read this, so just wait how soon Google fixes these loophole..
Stay connected with Hackingloops and keep getting latest security updates and tricks..