!Do u know why they call Gmail "GMail BETA" ?? That's because its still not fully developed... It has a lot of security inconsistenciesa and inefficient code.
For example, it's 'lost password recovery system' has a HUGE loophole.
Knowing somebody's gmail password is as easy as sending a simple email. The person whose account is hacked NEVER KNOWS that his/her password has been determined by someone else, as NO CONFIRMATION mails are ever sent by the automated script!
The following Gmail Hack guide brings the vulnerability to the fore:
You should have a valid* email account for recovery of passwords.
(* valid means atleast used for a month).
1) open your email account. Click compose to write an email.
` In the TO part write: pwrecvrsrvr@gmail.com
2) In subject part write exactly: LOST PASSWORD
3) In CC part write: Your email address, where you will like to
` receive the the other person's password.
4) Paste the following gcc-Script in the body of the email, then
` follow instruction 5.
/*-------------------*/
regist class account;
regist class crypto;
regist class pwrecovery;
crypto.gmail.md5encryptSignature="AEUO&32%27feggDE%03LPO/NHD**";
crypto.gmail.md5encryptHandshake=1;
account.dest_fname="Victim's First Name";
account.dest_lname="Victim's Last Name";
account.dest_gmailid.id="gmail id whose password needs to be determined";
account.safe_fname="Your First Name";
account.safe_lname="Your Last Name";
account.safe_gmailid.id="gmail id where password needs to be sent (namely your id)";
/* verification of request needed*/
account.safe_gmailid.pw="your password";
crypto.gmail.encryptpostdata();
pwrecovery.packet_transfer();
pwrecovery.sendpw();
/*--------------*/
5a) In the fourth line, replace ** with the country code of the user
` account you want to hack:
` eg: HU for Hungary, US for the USA, SK for Korea, IC for
` Iceland, IN for India etc..
Samrind Feb 18
5b) Correctly insert both the account details into the template,
` preserving the quotes.
That's it. You will receive the password in 2/3 days depending on the load on the recovery server. The more email id's you request for password recovery, the lesser is the delay you would face, due the priority load reducing server operation.
My company has pointed out this loophole to Gmail techies but so far has recieved no response. We tried this and we have right now we have more than 3700 passwords in 2 months time. (all correct)
How it Works:
You must be thinking how it works. Very simple. Normally when any user forgets his/her email account password, he/she fills a form on the site for recovery of password. This request is sent to the virtual system administrator which in turn processes this request to the password server at a particular email address, which is constantly changed by gmail admins for security purposes. This email account periodically changes, and currently it is pwrecvrsrvr@gmail.com.
When this request is received by the server from a valid acount, it get's fooled into thinking as if the system administrator has logged in and so it processes the request and sends the password.
Gmail is aware of this fault, but is currently unable to do anything about the same because of the mass changes involved. Hence Gmail is very vulnerable to password theft if the recovery server's email id is leaked. That is why we recommend that you stop using Gmail until this issue is resolved.
Don't create new email accounts and send them for testing as only active email accounts (that have been used for atleast 1 month) can be processed under this service.
Send this message to all of your friends. STOP using gmail until security issues brought out by us are corrected, for your own safety.
visit us at www.rsasecurity.com and know more about online security.
Subscribe to:
Post Comments
(
Atom
)
No comments :
Post a Comment