I just stumbled onto this myself by recovering a friends account.
If you know anyone’s gmail account creation date (month and year), you can take over their account. You can ask them to show you by playing a game “I bet my gmail is older then yours” and they will show you wrong by looking it up and you can see month/year. Or just look in your inbox when they first emailed you, or many people announce “this is my new email” by mass mailing everyone in their contacts. You can also just keep guessing, Google doesn’t seem to have a limit.
Is this not INSANE???
It works every time as long as you do it from behind the same router they ever used to log in. So everyone at work, or at home, or anyone logged in at a library or Wifi hotspot, can be hacked this way. It even bypasses 2 step authentication completely.
I reported it to Google security and they said “it works as it should, there is no problem here”. I have a HUGE problem with this.
Edit: Just keep hitting “try another question” after choosing “forgot password”, to get to the screen where it asks you month and date. After that if you know this information, you are in.
If there is anything “INSANE” about gMail, or any web-mail service for that matter, it is that stupid people routinely store valuable and/or sensitive information with it. :rolleyes:
Yeah, but all this big deal over secure passwords and 2-step authentication, and all you need to know is this trivial bit of easily obtained information, to steal anyone’s account?
It says that if it won’t work. If you type in a reason it will fail right away. Either wrong date chosen, or that user account isn’t considered to be part of the network you are trying to access from.
When it accepts it, it goes straight to typing in the code Google emails you, and then straight into password change.
Try it for your own account or an account you know connects from within that network. Which would be the same as a coworker, or any family member at home.
Try to log in but say you forgot the password. Then choose the month/year the account was created question. Input the proper month/year (in your inbox choose oldest, and see when your own account was created). And then follow the instructions.
For posterity, I tried this with an old gmail account I no longer use.
It did look like it was going to work. I entered the correct month/year and it asked for a second email address to send a verification code to. It then really did send the verification code to this second email address. However, once I entered that verification code back in gmail.com, I got the following:
**
Couldn’t sign you in
Thanks for verifying your email.
You weren’t signed in because Google couldn’t confirm that REDACTED@gmail.com belongs to you.
**
So, it doesn’t seem to me like it’s as easy to take over the account as the OP is saying.
OP, did you really steal someone else’s email account, or just managed to take over one that was rightfully yours to begin with?
It’s only one of many different ways gmail tries to help you recover. It comes after several other options such as recovery phone number, email addresses, last know passwords, etc.
For the sake of argument, assuming everything you said is true, the above statements are a form of social engineering in order to gain information that should not be shared. Of course, there is an ego mindset at work here where some personality types are quite susceptible at being manipulated.
Hmmm. You may have been missing one component of the OP’s mechanism. Your IP address must match one that has been used in the past to log-in to the account being hacked. If you had not used the account in some time this might be hard to manage, especially if you tried from home on a link that has dynamically allocated IP addresses.
Just how Gmail is supposed to perform the missing confirmation is hard to understand. It sent you the verification code. But it didn’t work. IP address is about all it has to go on at this point - so the threat remains plausible and worrying.
Actually, right before attempting the recovery, I logged in legitimately to the “lost” account, in order to find out the correct month/year of account creation. So not only had I logged in with that account from the same IP sometime in the past, I had done so not 5 minutes before the recovery attempt. Not only that, I even used the same browser (albeit in incognito mode), so it probably even had the same browser fingerprint. Google still rejected the attempt.
Agreed that it’s hard to understand. I imagine that the algorithms that decide whether or not to allow the recovery to happen are something they will keep private and tinker with internally all the time. I was also a bit worried that it was as easy as OP suggested, so I’m glad to have been able to somewhat disprove it. After all, google has to balance the security of the accounts against the ability for legit users to recover. They don’t have an obligation to treat your gmail account like Fort Knox, and meanwhile they have users complaining that they can’t get back into their account to retrieve their previous emails and pics and google docs and whatnot.
I’ve done this with 3 accounts so far. One even from the year 2006 when I created it for a friend who has forgotten all about it.
What I find is that if your computer is not registered to that IP network, then it will ask you for extra questions, and ultimately fail.
But basically it worked all 3 times as long as the computer has been used from that network before. And I only “hacked” my friends.
Basically Google says this is all legit, and this is how it works. If it doesn’t work for you, then either your month/year is wrong, or the computer is not considered to be a frequent enough user from that IP. So anyone at work or home it should work.
And for as to find out the date, just look at my opening post. Easiest thing ever. And not sure if you guys remember “inviting” others to Gmail when it just started, but basically everyone that I invited at the office I can hack now from the information GOOGLE provided to me.
Go to your inbox, and click “oldest” up top by the message count. It will show the first day of your account and Google greeting you will be your first email.
Basically Gmail wants to only authorize you to unlock your own account. However since we all share the same internet connection at work or at home, you share the same IP number as far as Google is concerned. Go to any terminal at work and google “what’s my IP” and you will get the same number from all the computers.
So if you lock yourself out of your own account, Google gives you an option to reset the password by knowing the month/year you created your account, just as long as it can determine you are doing it from your own computer. Let’s say it’s fully legit, and you are at work. You can unlock your own account from any terminal at your work, since all computers share the same IP number to the internet (you are all sharing the internet modem).
At the same time, this means your coworkers or family members can unlock your account as well because it all looks proper from Google’s point of view. And when they do unlock it, there is nothing you can do about it. There is no option to disable this simple question or reset your “gmail creation date”. Even 2 step won’t save you if someone at work (or at home, or maybe even at the library) knows this date.
I was a very early adopter of Gmail, so I have super awesome simple login names. Anyone who knows anything could guess it couldn’t have been created much past when Gmail started. All they have to do is keep guessing month by month, and sooner or later they will break into my account this way. And there is nothing I can do. And if I stumbled on this by accident, how many people already know this and are abusing it?
I went to the Google support forums after I found this, and people as far back as 2013 were complaining about this, but nothing has been done. So if you can try to keep your gmail creation date super secret, but who would guess it’s this simple. And most if not all of us announce it to the whole world by sending an email “HEY, this is my new email, don’t use the old one” and bingo, they have your creation date.
I don’t claim to know how all of Google works, but I would think trying to recover a password 5 minutes after logging in may not be to their liking. After all, you just logged in, so why ask for a new password? That could be a reason why it failed.