Skip to content

Google POP3 Brute Force Attack

The ISecAuditors say you may find it worthwhile to setup hundreds of Google accounts if you want to run a brute force attack on an account sometime in the future. They posted an explanation on Full Disclosure

To bypass the limitation of 1.200 requests per day it is only necessary to have different Gmail accounts. Each new account means 100 new possible requests. If the attacker wants to do a request each second, means 7.200 attempts each two hours, the only need is to have 72 accounts. This would mean 86.400 request/day. More requests only need more accounts.

As the Gmail account creation is a manual process as it needs to pass the captcha. Another limitation is that Google only permits the creation of 10 new accounts creation per day from the same IP address, but using proxies or Tor network would bypass this limitation. Anyway, although the creation of N accounts, those could be used anytime for password cracking accounts.

Google should enforce stronger password standards for certain (the advisory suggests there are none at all). However, companies with large numbers of accounts have to also consider the overall cost of such a move relative to any gains.

In short, for every active user with a locked account there is an unlock/helpdesk fee associated. This will be at least $15 so a thousand locked accounts per day will be more than $15K in overhead. Thus a decision to enable account locking, or strong passwords more likely to lead to mistakes and then account locking, is really going to be based on the economics of risk.

The advisory suggests four control mistakes have been made by Google.

Anyway, is it possible to abuse the “Check for mail using POP3” capability to do attacks to the passwords of the users in an automated way, evading all referred security restrictions and controls and doing a transparent and not noticeable attack to the user that its account is being password cracked as:
– There’s no need for required action from the victim.
– There’s no modification in the password of the victim.
– There’s no locking in the victim account.
– There’s no security notification to the victim.

This seems like very tortured English to me, speaking of making mistakes. Not sure what they mean by required action from the victim. That also seems like a repeat of their last bullet point, which is notification to the victim. Action could only be required after or with notification.

A warning sent to the victim saying “your account has had X unsuccessful logins” is more likely to lead to a helpdesk call ($$) than anything. Imagine if the message said “you have had 1,200 failed logins today, please change your password to something stronger”. That would not only lead to a helpdesk call but probably a very confused/angry call or maybe one full of fear and demanding action.

Locking the account is unlikely to happen, as I suggested above.

Finally, brute forcing a password never leads to modification. Modification would happen entirely outside of a brute force event.

With this in mind, the advisory boils down to nothing more than a public service announcement to users that they should use strong passwords. Although I would say such a notice is commendable, they fail to suggest what/how to make a password strong enough to their liking thus leaving everyone in the same exact spot they were before reading the advisory. This provides Google, and its users, little incentive or explanation why they should alter the current risk profile.

Posted in Security.

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. l33t says

    so sad now… so how do i bruteforce this f*cking gmail? huh? HOW? ;(

Some HTML is OK

or, reply to this post via trackback.