This information related to error messages generated after typing wrong captcha recognition or wrong password has been posted to Full-Disclosure security mailing list recently:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-May/062568.html
|
That's an excellent point if it's correct. This had actually crossed my mind before when I had to enter a captcha but I never bothered to go through the various combinations. |
Its correct. I tried and is working as explained and is scary.
Good find
|
Juha-Matti Laurio, I wonder if Cryptreaper had went thru with the protocol of contacting vendor before getting into FD mode. Responsible discoulsures is an art by itself!! |
Still it would take ages to bruteforce most modern passwords... so I wouldn't call it scary, its just a stupid (not too dangerous) design mistake... |
I think if you load too many pages too quickly, Google will block your access to its domain. So, I suppose, bruteforce is nearly impossible with Google. |
Did you test that? If so, what if the abuser uses some distributed system with different IPs? |
different IP is a good idea.
But I've tested that some months ago by accident. We were at university with my classmates, modifying computers, when we had to send a mail to our teacher. But the keyboard was QWERTY (and not French AZERTY), so many people failed to enter their password of their Gmail account. Then, during 30 minutes, there was a message "we have detected a spyware on your computer which makes too many request, please try again later". |
To pd: I believe that Cryptreaper has not contacted the vendor. I'm not sure about that. However, it was not posted to moderated Bugtraq list at all. |
<< I think if you load too many pages too quickly, Google will block your access to its domain. >>
I don't think that happens on the standard Google Account login page... |
So, according to you, Google would block dude who loads 30 SERPs/minute, but not the one trying 100 bad passwords/minute? That's not security, it's stupidity.
|
Not necessarily. Google could (and probably does) block users for too many attempted logins but not for simple page requests. So "if you load too many pages too quickly" (as you said) Google wouldn't necessarily block you. |
If often happen in schools, colleges, etc. Because students perform too many searches. http://www.mydigitallife.info/wp-content/uploads/2007/11/google-error.jpg |
Yep. I've seen it happen for me when I've been refining my search queries too. |
When the weekend is over soon there are no replies posted to Full-Disclosure list. |
This appears to be fixed. With or without my correct password, I get:
"Enter the correct password above and then type the characters you see in the picture below."
"Enter the letters as they are shown in the image above" |
<<Because students perform too many searches.>> Our entire county is on one ISP, on the hour every hour, Google starts getting difficult. |