[180129] in North American Network Operators' Group
gmail security is a joke
daemon@ATHENA.MIT.EDU (Markus)
Tue May 26 10:26:46 2015
X-Original-To: nanog@nanog.org
Date: Tue, 26 May 2015 16:26:38 +0200
From: Markus <universe@truemetal.org>
To: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Did you know that anyone, anywhere in the world can get into a gmail
account merely by knowing its creation date (month and year is
sufficient) and the last login date (try "today")? What a joke.
Try it by yourself, its "fun".
Even worse, once the attacker had control of your account once, and you
reset the PW and then enable 2-factor-authentication, he will always
come back because it is sufficient for him to know one of the last
passwords to reset it again. This will totally work around
2-factor-authentication and allows him to remove/change recovery E-Mail
+ phone + turn off 2FA. There's no way to get rid of him.
What a mess!
I have a gmail account that mostly sends mail and barely receives any.
This is probably why it works so damn easy. Otherwise the PW recovery
process will ask you for the E-Mail addresses of people that you have
received mail from in the past. But even this can get easily
guessed/researched.
