This week I was in what I hoped was final test cycle for the 1.1.2 release of passQi – which includes some nice UI enhancements and important fixes. In the process I encountered what appears to be a significant security flaw in Google’s design.
I had noticed earlier in the week, Google had with some fanfare rolled out their new security center under “My Account.” – “Control, protect, and secure your account, all in one place”. And then mid week during testing, I noticed I was getting passed into the “Detect Login” flow in the app – which means I’m dealing with new, previously unrecognized login urls – and seeing some “unpretty” results.
In the process of figuring out what I was seeing and adapting to it, I learned something the really shocked me. Apparently, in their bid to unify login for all of their web properties, they are requiring the user to enter their full email address, and then on a refreshed version of the page, their password.
Some of you may have noticed when logging in to just about any site, if you enter your password incorrectly, the error message displayed is usually something like “User/Password combination invalid” rathern than “Bad Password.” Why is this? Because an authentication system really shouldn’t be disclosing usernames (especially if those usernames are also email addresses).
Using email addresses in logins when consolidating multiple account silos is handy, insofar as it (more or less) allows you to avoid “namespace collision” – Fred Smith had login “fred” in silo A, while Fred Jones has login “fred” in silo B. One thing you can’t have is two different real world people having the same login.
I actually encountered this problem back when I managed Identity and Profile at Rearden Commerce (now Deem, Inc.) – we had users in different environments and we wanted to create a single login. I’ll just say for now that we solved it differently
Why is this interesting and a problem? Two big reasons: if a hacker is trying to crack a host by brute force attack especially, “leaking” information during a login attempt is not a good thing – if you get a message saying “Bad Password,” that’s basically saying “But the username was good!” You now have verified a username, so you can shift your focus to cracking the password.
Secondly, if you are simply trying to harvest email addresses for spam purposes, you can verify that a given email address is in fact valid.
Go to the Google login page, try to login with a “new” account and enter the gmail address of someone you know. You’ll see that Google will confirm that this is a valid account. (Likewise, if you enter a random spurious email address, Google says that it is not recognized).
Google has lots of clever ideas and technologies in authentication, but this feels like a generically bad move. I’m sure (?) they have throttling and other detection mechanisms in place to lock out pure brute force attempts, but any leakage of data about usernames from an authenticator seems a serious deviation from accepted best practice.
Oh and meanwhile, we did tweak the passQi recognizer to cope better with this type of two-step login, although it will only work smoothly if you click the passQi login from the “enter your password” page – which is where most people will, because of the “remember me” cookie that prompts (or lets you select) possible accounts to login to.