Not everyone uses a NAT’ed internet connection. Plenty of places have class C addresses, and many have class B. There are the anointed few that still have their class A even. When I was working at my old university we had a class B address, and my workstation had its own IP address.
NAT is a bit more complicated that just everyone having the same external IP address - the NAT implementation in the router has to be able to make everything work, and it has to know how to route back to your PC traffic sent to the one and only IP address that is externally visible. Typically it will need to do this by changing the port number the traffic appears to come from. A careful external server can see the different traffic come from different port numbers, even though the IP address is the same. Google may well watch the port numbers and have some algorithm for deciding what to do. However the port numbers will vary all over the place as connections are made, so it isn’t really clear what they could do.
Running the browser in private mode when trying to log in with the validation code may cause a failure because when you asked for the password reset Google may have dropped a cookie into your browser that it later tries to match with the validation code. This stops someone intercepting the email with the code in and using it to break the account. You need to log in from the same browser session - the one with the cookie.
Yeah, but he’s the owner. How can a stranger know it? And if someone close to me wants access to my email there are easier ways (like, you know, using my computer).
I don’t know exactly how it’s verifying it, or what it is really looking for.
But I know I can use this method from any computer at my work for any of the gmail account password resets I tried so far.
Just now I tried the method using a totally unrelated computer on a different floor of the office (all behind the same router/modem), and Google didn’t even have to send an authorization code to me, it just let me straight into changing the password to an account when I chose the right month/year. I changed the password to this gmail account this same way about 4 days ago from a different computer (mine that time) but it had to send me the code then.
I am not logged in anywhere as myself, I am logged into our network as one of my coworkers, on a totally random machine changing a password to an account it should have zero rights to change apart from me knowing the month/year of that account creation.
From reading the Google support forums this was the same scenario others were upset about, but Google never replied at all.
The general rule is that something as simple as a date has too little entropy in it to be an effective guard against cracking. A range of three years only gives a shade over 1000 possible choices. IE, no more effective than a three digit PIN.
Compared to the rules for choosing useful passwords, this is insanely poor.
I get phone support conversations all the time where they want to verify your identity with nothing more than birth date. Sometimes only day and month. However they have rung me - or have used caller id - so they have some hope they are talking to the right person, but it isn’t exactly secure.
You can’t “hack” a stranger this way, since you have to be behind the same modem/router. But your coworkers can hack you, or your family members can all take each others accounts this way.
Have you never sent “this is my new email” to people on your contact list? If you did, then they have your gmail creation date, unless you waited years to send it to them after creating it.
I know at work I could get anyone’s account creation date just by going “Hey, my gmail is acting funny, what happens when you click “oldest” in your inbox”. And right away I would see their creation date as it goes to the oldest page, and the very first email is their creation date as Google sends it.
No I haven’t done it, because I don’t want to know, but this is so easy and nobody would blink an eye. Who would imagine knowing gmail creation date to be of any use to anyone? I bet if you asked them they would just tell you anyway if they knew how to find out.
Since you only need to get the month/year correct (they don’t ask for a day), to cover 3 years you only need to try 36 times to hit every single one!! Not sure if Google blocks you after many tries somehow, but I tried few times choosing the wrong dates on purpose to see what it does and about the 3rd time entered the correct one and it let me in.
Just seems like a total joke to even have this as an recovery option. Good thing my triple secret password is safe though…
Or they can just see when you sent them the first email, and then keep guessing backwards month by month. 12 guesses = 1 year. It goes pretty quick, but don’t know if there is a daily limit to how often you can do it. But pretty darn easy if someone wants it.
Well, now you’re just using conjecture to hand-wave away datapoints that contradict your theory.
This is equally just conjecture, but since it’s your theory you naturally accept it uncritically. But the fact is, none of us know what factors into the decision to allow the recovery. This “same IP” theory is far from proven.
I tried it again, this time trying to recover my primary gmail account, one that I’ve used constantly from this same IP address for years (static business IP). Same result, google did not allow me to recover.
So for my part I’m convinced it’s not as easy as you claim, and I have doubts about your IP address explanation. I actually suspect the secondary email address one uses to send the verification email has something to do with it. I made sure that I used an address that was never registered with google as my recovery address. Not sure what you used in your attempts.
Moreover, you yourself have stated that the issue was discussed on google forums, from some years ago, so it’s not like this is completely unknown or even new to the public. So if it were such a gaping security hole I would expect it to be much more well-known as an exploit by now.
I just tried it with 2 more totally different accounts that have nothing to do with me or my emails and it works from any computer at my work. I guess everyone on Google support forums are wrong too, right?
It’s not a “security hole” it is as Google designed for password recovery. If you can’t recover your own password this way, then obviously it’s not working for YOU, like it should be. No? It’s supposed to work like this! I don’t have a crystal ball to know why it doesn’t in your case.
The only problem is the insanely easy question you have to verify. If it doesn’t work for you, then don’t worry about it and go about your day. This is a major issue for some of us.
Hmmm, with so many accounts that have “nothing to do with you” that you can crack - where are you getting these? You said work. Are these work accounts or just plain xxx@gmail.com that your colleagues have as private email accounts?
I don’t doubt that you are cracking these accounts, but there is more to this.
I’m not “cracking” anything. I am using Googles built in password recovery used as they themselves designed and instructed users to utilize. Only glitch is that it recognizes all of us on our network as the authorized user, just as others have discovered and complained to Google about.
I have friends and coworkers who trust me since I fix their computers and can have full access already, so I can try it with a lot of accounts just to confirm it works this way. None of them are work accounts, they are personal free accounts, and none of my friends can believe it works either.
Neither did I when I stumbled on this, that’s why I tried to share it and make others aware and to protect themselves after Google told me there is no issue with this setup.
I got Gmail when it came out in 2005. I just checked and my oldest email is from 2009. I guess I was a lot better about deleting unwanted emails back then. Wasn’t used to the essentially infinite amount of space Gmail gives you for free.
OK, like I said, there seems to be something we are missing if it isn’t working for some people that try it. Very likely some part of your procedure they are not exactly duplicating. Question is what.
I can’t figure out my setup date to try it without brute forcing it. Do people really never clean out their inboxes?
Anyway, it’s no less secure that those “secret question” things. If you can social engineer or brute force someone’s gmail signup date, you can surely do the same for their pet’s name or old high school name. You don’t have to be on the same network for the latter to work and google at least notifies you when new devices log in unlike most sites.
It’s interesting, and it wouldn’t hurt to do away with it, but, I give it a “meh.” If security was really a concern you wouldn’t be using gmail to begin with.
The gmail paradigm is to archive it, not delete it. It isn’t in you in box but it is saved.
I found my welcome message for all of my numerous gmail accounts. Going back a lot more years than I care to think about now. There are pics of me with a lot more hair than I currently sport. It is a fun stroll through memory lane back to when you had to get an invite for a gmail account.