[LINK] gmail's password recovery via SMS feature

Fernando Cassia fcassia at gmail.com
Wed Aug 18 22:01:48 AEST 2010

On Wed, Aug 18, 2010 at 8:22 AM, Jon Seymour <jon.seymour at gmail.com> wrote:

> Does anyone know if GMail's (new?) password recovery via SMS feature
> requires anything more than possession of the victim's mobile in order
> to compromise their e-life?
> jon.

Apparently, the answer is no.

Just steal someone´s mobile. (Knowing he has that mobile as the backup
contact method for his/her google account) then proceed to click on the
"lost my password" links on the GMail site and you´ll have a new pin code
delivered by SMS which you can use to "reset your password". Thereby getting
access to his/her account and locking the legit owner out of his own (as
soon as he logs out and loses his/her session cookie).

Not only that, Gurgle now has a real phone number associated with each email
address  (mobile OR land line, I was once asked to enter a fixed phone# due
to "suspect activity" in my account. I got a call back and was given a pin
code by a text-to-speech engine, which I then had to enter into a special
Gmail screen to have my account "validated").


More information about the Link mailing list