Google issue tracker

1. Summary: A user can get full access to a google account with just a pin Authentication or fingerprint from the phone. Making a extreme secure account easy accessible with a simple pin.
2.  
3. Steps to reproduce:
4. 1. Get access to a Android phone of the victim and know its PIN code, or authentication code. (Imagine working in a phone repair store - customers give out the pin easily, or imagine seeing the person type the pin etc, there's several ways to get a pin code/pattern lock)
5. 2. In the Android phone go to passwords.google.com and try to login
6. 3. On the login page, you can already know the email address, without even knowing it beforehand.
7. 4. Click continue on the "Use device lock to login" page.
8. 5. Click on use pin and insert the pin of the victim.
9. 6. You are now in the page of all the saved passwords of the victim, you can now retrieve every single password from all bank accounts, social networks and maybe google accounts as well. All of this with just a single pin.
10.  
11. The takeaway here is that by just knowing a 4 pin digit, or pattern of a victim, you can have all sorts of access to every single account out there, including bank accounts and social networks. You can also have access to the google accounts and with this you can access everything of the victim and potentially cause a lot of harm..
12.  
13. Imagine that the atacker works on a phone repair shop, He could easily save a list of victims and delete all emails and alerts from google emails as well as other secondary email. To prevent the victim to think that anything happened, then He could wait before making any kind of attack.
14.  
15. Browser/OS: Chrome + Android
16.  
17. Attack scenario:
18. The takeaway here is that by just knowing a 4 pin digit, or pattern of a victim, you can have all sorts of access to every single account out there, including bank accounts and social networks. You can also have access to the google accounts and with this you can access everything of the victim and potentially cause a lot of harm..
19.  
20. Imagine that the atacker works on a phone repair shop, He could easily save a list of victims and delete all emails and alerts from google emails as well as other secondary email. To prevent the victim to think that anything happened, then He could wait before making any kind of attack.
21.  
22. Imagine this other scenario, you want to access your Girlfriend social accounts, as the boyfriend you could easily access any social account Live from anywhere and have all kinds of access to private information.
23. 06:08PM
24. Component: 310426
25. 06:08PM
26. Status: New
27. 06:08PM
28. Reporter: [email protected] (Alexandre *********)
29. 06:08PM
30. +CC: [email protected] , [email protected] (Alexandre *********)
31. 06:08PM
32. Type: Customer Issue
33. 06:08PM
34. Priority: P4
35. 06:08PM
36. Severity: S4
37. 06:08PM
38. Title: Auth Bypass in Android + Google Chrome Fingerprint or pin Authentication method
39. [email protected] <[email protected]> #2Jan 7, 2020 06:08PM
40. 06:08PM
41. ** NOTE: This e-mail has been generated automatically. **
42.  
43. Thanks for your report.
44.  
45. This email confirms we've received your message. We'll investigate and get back to you once we've got an update. In the meantime, you might want to take a look at the list of frequently asked questions about Google VRP at https://sites.google.com/site/bughunteruniversity/behind-the-scenes/faq.
46.  
47. If you are reporting a security vulnerability and wish to appear in Google Security Hall of Fame, please create a profile at https://bughunter.withgoogle.com/new_profile.
48.  
49. You appear automatically in our Honorable Mentions if we decide to file a security vulnerability based on your report, and you will also show up in our Hall of Fame if we issue a reward.
50.  
51.  
52.  
53. **Note that if you did not report a vulnerability, or a technical security problem in one of our products, we won't be able to act on your report. This channel is not the right one if you wish to resolve a problem with your account, report non-security bugs, or suggest a new feature in our product.**
54.  
55.  
56. Cheers,
57. Google Security Bot
58.  
59. Follow us on Twitter! https://twitter.com/googlevrp
60. 06:08PM
61. +Hotlist: 702027
62. [email protected] <[email protected]>Jan 8, 2020 10:06AM
63. 10:06AM
64. Component: 310426 310543
65. [email protected] <[email protected]> #3Jan 8, 2020 10:06AM
66. Assigned to [email protected].
67. 10:06AM
68. ** NOTE: This e-mail has been generated automatically. **
69.  
70. Hey,
71.  
72. Just letting you know that your report was triaged and we're currently looking into it.
73.  
74. You should receive a response in a couple of days, but it might take up to a week if we're particularly busy. In the meantime, you might want to take a look at the list of frequently asked questions about Google VRP at https://sites.google.com/site/bughunteruniversity/behind-the-scenes/faq.
75.  
76. Thanks,
77. Google Security Bot
78. 10:06AM
79. Status: New Assigned
80. Assignee: <none> [email protected]
81. [email protected] <[email protected]>Jan 16, 2020 10:26AM
82. 10:26AM
83. Priority: P4 P3
84. [email protected] <[email protected]>Jan 20, 2020 09:59AM
85. 09:59AM
86. Component: 310543 310427
87. [email protected] <[email protected]> #4Jan 24, 2020 03:34PM
88. Status: Won't Fix (Intended Behavior)
89. 03:34PM
90. -Hotlist: 702027
91. 03:34PM
92. Hello,
93.  
94. Thanks for reaching out to us about this issue!
95.  
96. If an attacker has access to a victim's phone, then with persistence the attacker has a higher chance to take over the account depending on the technical capabilities of that attacker. We would recommend that you never share your four digit pin or code to access your phone with anyone.
97.  
98. Once someone has access to your phone and is able to use your phone in-full, then it is hard to programmatically determine whether the actions on the phone are being committed by the victim as opposed to the attacker. If an attacker has already passed the pin code barrier of your phone, then they wouldn't need to know your password in order to commit the attacks that you propose, even if we removed the feature that you highlighted, because access to the device could lead to the attacker changing the password of the the account by going through recovery on this device.
99.  
100. Many users enjoy the "Use device lock to login" feature and it seems you are suggesting that we require a password to use on of our services from a personal device and I am not sure, if we remove this feature that it would increase the security of a Gmail account, since the device in itself increases the chances of a successful recovery, if you know the gmail address tied to the phone.
101.  
102. That said - if you think we misunderstood your report, and you see a well defined security risk, please let us know what we missed.
103.  
104. Best,
105. Marc, Google Trust & Safety
106. 03:34PM
107. Status: Assigned Won't Fix (Intended Behavior)
108.  
109. Alexandre ********** <[email protected]> #5Jan 24, 2020 04:14PM
110. Hello Marc, yes I truly understand the cool functionality of this pin/fingerprint to enter.
111.  
112. I will again give the example of the Phone repair service center of some kind.
113.  
114. Never a bad intentioned person would by any means try to "recover" and account of a person to attack them, why you would ask? Well they would need to try to do it while having the phone in hands, and the person being attacked would notice right away by receiving any kind of emails etc etc. there would be alerts for sure! And the person would at the very least get suspicious about this!
115.  
116. By letting the PIN function available you are opening a breach to store the passwords locally to prepare an attack later, avoiding some kind of suspicions to the store or the worker itself, because no alerts would be emited to the true owner...
117.  
118. The only thing now that is not happening is that no one knows this simple trick, but when someone starts to notice this they will start to make atacks, then instead of avoiding your customers issues you will have to repair them.
119.  
120. I could very easily store a lot of customers passwords of any kind, and then prepare an atack a year later. no one will know for sure what happened here.
121.  
122. At least make the option to require the fingerprint only. And remove the pin.
123.  
124. You at google love to send emails warning about possible account breaches everywhere. You have this simple trick open to everyone. I can know every passwords of a person by just knowing a 4 digit pin and not be scared of the person knowing that I just did that.
125.  
126. And of course I Am totally aware about the riscs of leting people access my phone, but you have to consider that the average consumer thinks that they are perfectly safe by giving a 4 digit PIN to a simple phone repair shop. They will never suspect that the store can know every single password to every single website that they have saved on the google account or even enter the google account at will without knowing the password beforehand and without alerts from google, even a experienced user would let this slip trough probably...
127.  
128. I truly believe that this kind of trick in the wrong hands could lead to serious injury to lots of people. Its a mater of time only... To be a hacker you don't have to understand code, sometimes you have to find this little gaps in the system.
129. I love this feature myself, and I don't want to lose it. The best way here? make the feature fingerprint only. Not with the phone PIN.
130.  
131. You should reconsider this, by looking this aside a making it "intended behaviour" you are ignoring all this facts, and it will be a mater of time that someone will start using this, then you will reconsider and it will be too late.
132.  
133. We know that this is the end users fault! but Shouldn't you try to avoid all the harm this would make? Imagine if I post this on reddit or any social network, providing all the information to this flaw? and stating that you are letting this slip? People will get informed about a new kind of attack and then you will take action? If the answer is yes why then wouldn't you want to solve this? Just because it is not known yet?
134. [email protected] <[email protected]>Jan 24, 2020 04:14PM
135. 04:14PM
136. +Hotlist: 702027
137. [email protected] <[email protected]> #6Jan 27, 2020 01:30PM
138. 01:30PM
139. -Hotlist: 702027
140. 01:30PM
141. You are free to post this on reddit and secondly, why would anyone give their 4 digit code to Phone repair service center? The repair shop would have no need for their customer's pin and this is not normal practice. Your pincode is your pincode, not to be shared with anyone.
142.  
143. Alexandre ********* <[email protected]> #7Jan 27, 2020 01:37PM
144. The question is not why would they. the question is do they? And yes they do. Sometimes to fully test the phone . Like checking if touchscreen is working on all areas etc etc.
145.  
146. You are completely ignoring this . Because you are stating what you think is correct or not. well. People do it. Thats is normal. and they think a 4 pin digit will only give them access to the phone, and not to the google account entirely, I mean at least they should expect an alert. but no. nothing. Easy access. I'm surprised to see how you can ignore this ... Your reaction is. well its the peoples fault, deal with it. Shouldn't you prevent stuff that is related to user error as well? I dont know. I'm kinda disappointed in this answer.
147.  
148. Its like fishing, why would people enter the password in wrong websites? well they do. You alert people from this anyway. Why should you care about that then anyway? its their fault as well.
149. [email protected] <[email protected]>Jan 27, 2020 01:37PM
150. 01:37PM
151. +Hotlist: 702027
152. [email protected] <[email protected]> #8Jan 27, 2020 02:56PM
153. 02:56PM
154. -Hotlist: 702027
155. 02:56PM
156. Hello,
157.  
158. You are conflating what I said, in my original response, I explained that if someone knows the pin to your phone that they would have an advantage to reset the Gmail account's password, so removing this feature wouldn't provide any extra protections against this kind of attack.
159.  
160. Alexandre ********* <[email protected]> #9Jan 27, 2020 03:23PM
161. Yes, but the original owner gets notified via email + alternate email address with emails with those actions. Right? So will a guy working at a store even consider to do this? It would point everything to himself.
162.  
163. Imagine if you get notified of such actions and your phone is at the repair shop, well thats an easy case to solve... Just go there and ask who did it and why,
164.  
165. If you know your phone is at a repair shop and you notice that your password got reset or received an email address wouldn't you ask in the store who did this and why?
166. I just cant believe how are you not understanding what I am saying.
167.  
168. That would be a big risk for whoever is doing that, because that kind of "attack" would have to be done when you have the phone in hands. The owner would know in several diferent ways that something odd happened you understand this?
169.  
170. This other way around is not the same, I could just write down all the info that I want and then wait a couple of days or months or years to make something out. The person would not even know how the hell is getting attacked. Do you understand this?
171.  
172. There's 2 atacks here.
173.  
174. 1. Having access to the google account while having the phone at hands (your example)
175. 2. Having access to the google account and other kind of accounts later, this includes social accounts and bank accounts and anything that is saved in google passwords.
176.  
177. Disadvantages/safeties implemented in attack 1.
178.  
179. - The attacker needs to act with the device at hand having all kinds of attention to him.
180. - Changing any passwords with the device at hand would bring suspicious from the owner. Theres tons of notifications from google when that happens.
181. - The owner will get notified via different methods
182. - They will never prefer to do this because they will be scared of being fired from the job.
183.  
184. Disadvantages/safeties implemented in attack 2 (my example)
185.  
186. - The attacker could just save the passwords and the owner will not know this, because you are not currently notified of accessing that page. So the attacker feels safe to do this. No suspicions.
187. - The attacker can try and login at any website (bank or social) later, and the owner can be notified at that time, but will never know who is doing that nor will remember that that simple repair shop could hack them..
188. - The attacker could try and make an attack at night this way the original owner could be sleeping having a lot of time to do anything he wants.
189. - No suspicions no fear of doing this as the attacker could login in a internet cafe to hide his real IP Address...