[LINK] gmail's password recovery via SMS feature
fcassia at gmail.com
Wed Aug 18 22:01:48 EST 2010
On Wed, Aug 18, 2010 at 8:22 AM, Jon Seymour <jon.seymour at gmail.com> wrote:
> Does anyone know if GMail's (new?) password recovery via SMS feature
> requires anything more than possession of the victim's mobile in order
> to compromise their e-life?
Apparently, the answer is no.
Just steal someone´s mobile. (Knowing he has that mobile as the backup
contact method for his/her google account) then proceed to click on the
"lost my password" links on the GMail site and you´ll have a new pin code
delivered by SMS which you can use to "reset your password". Thereby getting
access to his/her account and locking the legit owner out of his own (as
soon as he logs out and loses his/her session cookie).
Not only that, Gurgle now has a real phone number associated with each email
address (mobile OR land line, I was once asked to enter a fixed phone# due
to "suspect activity" in my account. I got a call back and was given a pin
code by a text-to-speech engine, which I then had to enter into a special
Gmail screen to have my account "validated").
More information about the Link