Email Accounts - Powerful Skeleton Keys

Email Accounts

Powerful Skeleton Keys

Stefan Friedli
by Stefan Friedli
time to read: 6 minutes

“You should talk to Stefan, he knows a thing or two about computers”, I heard from a table nearby and made a conscious effort to appear deeply involved into my current conversation. I guess anyone who remotely works with technology on a day to day basis will agree, that certain ignorance is a great way not to end up as somebody’s personal troubleshooter. It would probably be better to just keep silent about the nature of your own profession, but giving interviews on information security semi-regular makes this into an uphill battle.

This conversation, as it happened in the late summer of 2014, was not to be avoided. And I’m glad it didn’t, as it turned out to be an important one. The problem my acquaintance was telling me about started off harmless enough: “My iPhone’s acting up. I have to log in constantly”, she said. When asked, how often this would occur, she responded that she had to log in every couple of days and it would take forever to get the email, she said, clearly annoyed but happy about the prospect of fixing this issue. “Which email?” I asked. She responded that she’d be forced to set a new password every time, as the old one wouldn’t be accepted anymore.

I was surprised and intrigued. The likelihood of this being some sort of technical glitch was low, very low. Much more likely: Somebody was accessing her iCloud account on a frequent basis. The pattern of attack isn’t necessarily new, but still surprisingly unknown to a general public.

So here’s the basic principle: Since centralized cloud solutions for things like email, calendar, file storage and so on, as they are offered by Google, Microsoft and Yahoo, are becoming more and more common, they become an integral part of our lives, even though that’s not always obvious for their users. In this story, the platform of choice being used was Google.

The person affected by this situation, clearly growing up in the generation of WhatsApp, claimed she wasn’t sending a lot of emails, it was very clear to me that the Google-account she used was the root of this. She used it for all sorts of things: iCloud, Facebook, getting her credit card statements, Dropbox, a dating platform – just to mention a few. The attack is simple and can be described with two words: “Forgot password?”

Clicking a link with this label on almost any given site will lead to a form where the user can insert his username and/or email address in order to get a link to set a new password. (Some sites, mostly older or just insecure applications, will just send the cleartext passwords they stored, which is even worse. But that’s material for another article.)

This process did work for the iCloud account of my acquaintance too. The attacker would log into the compromised Google account, request a password reset, go through the process of setting a new password and then delete all the evidence – mails confirming the password change and the notification for an iCloud login from a new device – before logging off again. Using the new password, he had complete access to the iCloud account: photo stream, current location of the device, notes – everything. The only hint of this happening was the invalidation of existing authentication tokens, which led to the query on the initially mentioned iPhone to re-enter the password for the corresponding iCloud account which would then, for obvious reasons, fail. Which is the clue that led to the discovery of this situation going on.

Not all services handle persistent sessions the same way. Looking more closely at the abuse of the account, iCloud wasn’t the end of it. Facebook, for example, allows explicitly to keep existing sessions alive when a password change is conducted. Which means: If you stay logged in on your phone and/or desktop computer and never actually have to re-authenticate, your account might be compromised for months before you notice – which would allow an attacker to monitor your timeline and chats in real-time, constantly.

At this point, a couple of days after the initial conversation outline above, my acquaintance was highly disturbed by the invasion of privacy she fell victim to. The case was handed to local law enforcement who, after a long while, managed to identity the perpetrator, who now has to face the repercussions of his actions.

Based on the events of this story, it becomes very obvious how powerful a compromised Google-account can be for an attacker. And the possibilities do not end at resetting passwords. Google itself yields access to a wide variety of sensitive information to everyone who knows this specific password: Every search query, every watched YouTube videos – as well as location information on most Google Android users. The possibilities for a creative attacker are abundant.

Identifying such attacks is hard for regular users. When the conversation in the first paragraph happened, the unauthorized access had been going on for at least six months, potentially even longer. One possibility to detect unauthorized access is to use the Activity Info button in Gmail, tucked away in the lower right corner. Facebook offers a similar feature in its Security Settings, labelled Where You’re Logged In. Whenever any suspicious activity pops up, all current settings should be terminated and the relevant passwords – the one for the email account being first – should be reset.

Google Authenticator on an iPhone

A more secure and sustainable solution for this problem is readily available and already being used in other areas, such as e-banking or online-gaming: Two Factor Authentication. It’s only consequent to apply this to personal email accounts as well. The corresponding application to enable this on Gmail, Google Authenticator, can be installed for free and setting everything up usually takes 5-10 minutes. Afterwards, logging into the account requires a code generated by the application, in addition to the password. A small extra effort for considering the massive potential damage somebody could cause by compromising the account.

There is one thing that this anecdote clearly illustrated: The times, where information security only applied to financial service providers and secret services are definitely gone. In a time, where our communication and lifestyle slow shifts into the digital realm, handling digital risks becomes a mandatory skill for every single one of us. An endeavor, that requires a lot of extra effort from everyone involved.

About the Author

Stefan Friedli

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

You are looking for an interview partner?

Our experts will get in contact with you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here