Google and security. Oil and Water. (Or: How to DoS google groups)

The buzz was on about google buzz sharing your list of contacts (which they then quickly fixed in their casual we-did-nothing-wrong-these-are-not-the-droids-you’re-looking-for mind trick).

Readers of this blog remember when google calendar let you see the full name behind every gmail address. At that time, google ignored, then decided there’s nothing wrong with that feature, then fixed it. Only it still works, on other google services. Of course, these aren’t the droids I’m looking for.

Well, here’s a method to DoS a google group user; it was discovered by Shachar Shemesh of lingnu about 18 months ago, who told google and was answered with a strong silence. With google the only disclosure seems to be full-disclosure, so with apologies to you google-group users out there, here is the outline of the attack below.

DoS’ing google groups
Domain-Key is a good method to prevent spam from coming in, as well as preventing unwanted emails from being handled if they are sent through “the wrong” SMTP server.

Google has taken domain-key a step further, with their Domain-Key and Google Groups combo. In this combination, if an email is sent to a Google Groups from an SMTP server who is not listed in the Domain-key record, that email will be banned from writing or accessing the Google Group in question.

The banned user will no longer be able to write or read from that group, will not be able to “undo” this change as emails to Google’s technical support regarding this appear to go unanswered.

From this background, the attack seems clear. A malicious attacker can get pretty much anyone banned from a certain Google Group.

Steps to reproduce:

  • Subscribe to a Google group.
  • Look for a victim (Anyone posting to the group from a gmail.com account is fair game).
  • Configure your email client to send emails with a “From” field that matches this email address, and use an SMTP that is not one of those authorized by the domain key. Your ISP’s SMTP servers will probably suffice.
  • Use this configurations to send an email to the group. It doesn’t really matter what the email content is, but I recommend making it look like a genuine email to make is harder to filter (and raise ‘plausible deniability’ in case someone comes asking questions).

As a result:
The victim will be automatically banned from the group.

He or She will receive no notification of that fact: not to the fact he or she was banned, and not even to the fact that the email he or she supposedly sent failed Domain key verification.

The victim will cease to receive emails from the group. They will only find out about it if they try to send an email, at which point they will receive a brief and unhelpful message saying they were banned, with no explanation why and no means to appeal.

Trying to access the group from the web site will result in a “you are banned” message, again, with no helpful information on why the ban was instated nor how to appeal. It is a curious point that even information that is publicly available without registration, such as the group’s archive or description, will be blocked. They will have to sign out of Google to be able to see it(!).

The best means to appeal she is likely to find is “Google Help”, which points to an email address where past experience shows the request email will be unceremoniously ignored, just like Shachar’s email notifying google of this vulnerability.

Share
  • black hacker

    i’m pretty happy becoz securiteam is moving against google
    as we all know microsoft era going to shut down
    our next target is google
    so that we wanna find more vulnerabilities
    i hope we can find exploits on coming chrome OS
    now exploits against google is very few

    waitng for chrome OS to arrive

  • http://www.goodomain.net/ Domain Name Improvement

    worth making folk aware of this major security flaw in Google Desktop software …

  • http://www.ybo-interactive.com Yair Bar-On

    Few weeks ago I have reported a bug in gmail chat sms. I blogged about it and sent Google the link.
    http://www.ybo-interactive.com/blog/2010/01/13/gmail-sms-bug/
    Needless to say, they fixed it the next day, and didn’t bother to reply neither with a “fixed” nor with a “thanks”.
    This attitude is the basics of the Google – where does a 800 pound gorilla sit – attitude. They just don’t give a sh*t.
    As for your post, I have seen a similar problem in the past when I was investigating gmail spam filter problems.
    I’ll check it again and post.

  • http://www.BeyondSecurity.com Aviram

    @Yair – let us know what you find…

  • IT Ninja

    btw, the National Security Agency was recently hacked. Yes hacked! But it was downplayed to the media for obvious shameful reasons. Here’s the link :

    http://pinoysecurity.blogspot.com/2010/02/wwwnsagov-hacked.html