Tag Archives: web

Security: How to obtain someone’s username/login from the “Gmail for work”?

console-wishmesh
Photo: freeimages.com

Short version: Gmail leaks your username. Always! To get username/login information for Google Apps user (paid Work/Business account) you need one email message. Just look at the Return-Path header. Fortunately, you do not know password yet, but combined with other weaknesses (like password reuse) this is not a problem. Determining if someone is using Google Apps for Work (Business) is trivial. And this method works in 100% cases. Even administrators can not hide their administrator’s username.

Long version: Some time ago when doing security audit / consulting I found a small security hole in the Google’s Gmail for work (previously Gmail for Business). Of course, as a responsible citizen, I notified Google’s security team with the info that their popular web email client has the security problem. They responded timely and very polite, asked a couple of questions, and to my surprise said, that this is not a security issue and they are not going to fix it.

Normally, I would agree that knowing your login name is not a problem. However, in the real world in the computer systems that are in use by millions of people these “normally” rules does not apply anymore. When password reuse happens, where brute-force password guessing is reality, in the world where lazy admins live, etc. One more thing is – the IT security is not a simple thing. It is more like layers of various pieces that are put together in the right combination by making reasonable good security. By revealing your username – one of the two credentials, you are eliminating one piece of that security layer. And this is absolutely unnecessary. Whatever Google wanted there, it can be achieved in many different ways without compromising that one small piece of security.

Also, I must note, that this weakness is documented by Google. This is not something rare or unique, when software author describes some feature in the documentation, and when later the scope of the feature is changed, the Vulnerability appears. I suspect that something similar happened there.

I suspect that this feature was originally implemented for regular @gmail.com users, that are sending email via gmail servers, but using non-gmail email address as sender (alias). So for example, your gmail address is personal.email@gmail.com and you setup alias for personal.email@example.com. In the original gmail this feature makes perfect sense. If you are too spammy then any administrator in any organization can look at your email headers (Return-Path) and determine your real email address (personal.email@gmail.com) or block it altogether, without any action needed from Google’s team. They offer free service, and do not need to spend money on support team. But by revealing your personal.email@gmail.com, it also reveals your gmail login. But again, this is fine – free service, everyone already know, that your email address is login name, and have turned on 2-factor auth, etc.

But it does not make any sense for Business email, where email address and alias are on the same server. There should be an option to disable this Return-Path thing, or better, it is disabled automatically when Admin have configured alias domain on the same Google server. I would somewhat understand that Return-Path is added in Business email when the alias resides on non-google servers. But why on the Earth the header is added when both domains resides on one Google email account and the email is send from the same account?

One more problem is that users of the Google’s paid email service are not aware of the issue. One tech savvy admin would think, that by creating the alias different from the administrator username would somehow protect the admin’s real email address, and by assuming that no one knows that address, would fall as victim in the phishing attack in the email form, where email looks like from Google support, because she thinks that only Google knows this hidden admin email address. She have not revealed this email address to anyone except Google. Think about it. If she receives email to that address, it must be Genuine – from Goolge.

This is how the Return-Path header looks. ADMIN-USERNAME@example.com is the address that you are trying to protect. And you are sending email from john@example.com

Delivered-To: something@example.com
Received: by 10.128.17.7 with SMTP id a64csp423452wmf;
Sat, 26 Apr 2016 05:02:04 -0700 (PDT)
X-Received: by 10.17.107.18 with SMTP id 40mr24542334ior.101.124354452334;
Sat, 16 Apr 2016 05:02:04 -0700 (PDT)
Return-Path: <ADMIN-USERNAME@example.com>
Received: from mail-ia0-x234.google.com (mail-ia0-x234.google.com. [2607:f9b1:4002:c06::234])
by mx.google.com with ESMTPS id ...
From: john@example.com
...

And again, if you have not enabled two factor authentication, do it now. Do it for the every service that support it (Google, Dropbox, Amazon, Twitter, etc.).

And if you still think that revealing usernames is somewhat acceptable, try to educate yourself by reading other peoples opinions. For example here – Disclose to user if account exists? And by the way, the Wikipedia article about Phishing begins with the sentence: “Phishing is the attempt to obtain sensitive information such as usernames…

P.S. And by coincidence today we have vulnerability from the same category in the Microsoft’s Live service – Microsoft Live Account Credentials Leaking From Windows 8 And Above.

2011 links no. 3

Interview With Sacha Barber in The Code Project.

The ABA problem occurs during synchronization, when a location is read twice, has the same value for both reads, and “value is the same” is used to indicate “nothing has changed”. However, another thread can execute between the two reads and change the value, do other work, then change the value back, thus fooling the first thread in to thinking “nothing has changed” even though the second thread did work that violates that assumption.

An Idiot’s Guide to C++ Templates by Ajay Vijayvargiya from The Code Project.

C++0x Finally Becomes a Standard discussed in Slashdot.

What is Cloud Programming and why should we care By GanesanSenthilvel at The Code Project.

Interesting discussion in StackOverflow about Creating a memory leak with Java.

Why is subtracting two times (in 1927) is giving a strange result? or in Shanghai at midnight at the end of 1927, the clocks went back 5 minutes and 52 seconds. From StackOverflow.

$300M To Save 6 Milliseconds in high frequency trading discussed at Slashdot.

Age bias in IT: Some consider it IT’s dirty little secret, or even IT’s big open secret – from computerworld.com by Tam Harbert.

Am I Too Old To Learn New Programming Languages? from Slashdot and Become a Good Programmer in Six Really Hard Steps from ApochPiQ in GameDev.net.

InfoWorld writes about The nine circles of IT hell by Dan Tynan.

Biggest Mistakes in Web Design 1995-2015 from webpagesthatsuck.com.

From glyph recognition to augmented reality with video demos and source code By Andrew Kirillov in The Code Project.

Introduction to Google App Inventor by VinayakIyer from The Code Project.

Guide to Image Composition with Win32 MsImg32.dll By Paul Watt from The Code Project.

JavaScript Jargon (Coming to JavaScript from C#) By Jonathan Cardy.

Learn to code: Codecademy is the easiest way to learn how to code. It’s interactive, fun, and you can do it with your friends.

Minimalist Coding Guidelines By gggustafson.

Penrose Tiling in Obfuscated Python or Who says you can’t write obfuscated Python? from Jeff Preshing.

Learn Perl in about 2 hours 30 minutes By Sam Hughes.

PowerShell is powerful but can it handle gaming? PowerShell Falling Blocks By Lasse W.

Sudoku solver via a webcam: A nice computer vision application with source code from Bojan Banko.

Windows API: Slim Reader/Writer (SRW) Locks from MSDN (available from Vista and Server 2008).

The Five Levels of ISP Evil from Dane Jasper.

spin.js – cool open source JavaScript spinner hosted in GitHub.

Starting up inside the box (Vista and above) from Raymond Chen.

Stuxnet Malware Analysis Paper By AmrThabet. This article will focus on Stuxnet’s windows infection methods and spreading methods.

The Power of Rooting on Android By David Magnotti.

The Principles of Good Programming by Christopher Diggins.

.NET ThreadPool vs. Tasks by Paul Stovell.

Why does creating a shortcut to a file change its last-modified time… sometimes? from Raymond Chen.

Writing a Multiplayer Game (in WPF) By Paulo Zemek. This article will explain some concepts of game development and how to apply and adapt them for multiplayer development.

2011 links no. 2

Stack Overflow profiler open sourced: Profiling your website like a true Ninja.

Smaller is Faster (and Safer Too). Chrome team have just started using a new compression algorithm called Courgette to make Google Chrome updates small. Read more.

Ask Amir Taaki About Bitcoin. From Slashdot.

The Four Stages of NTFS File Growth from Windows Server Core Team.

Some articles from CodeProject:

Rosa Golijan writes about what happens on the Internet every 60 seconds.

The Biggest Changes in C++11 (and Why You Should Care) by Danny Kalev.

Are You Too Good For Code Reviews? Articles and discussion in Slashdot.

Google’s Swiffy converts Flash SWF files to HTML5.

Have you wondered whether WordPress can handle high-volume traffic? High Traffic Tips For WordPress.

The most detailed story about Stuxnet: How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History.

How to build your own 135TB RAID6 storage pod for $7,384 from extremetech.com.

Investigation: Is Your SSD More Reliable Than A Hard Drive? from tomshardware.com.

pdf.js is a technology demonstrator prototype to explore whether the HTML5 platform is complete enough to faithfully and efficiently render the ISO 32000-1:2008 Portable Document Format (PDF) without native code assistance. From Dr. Andreas Gal.