SecureState Blog

Read SecureState's award winning blog.

A few weeks ago while “experimenting” with various email password reset security questions; I found something rather strange relating to Gmail and how it determined if you were the “rightful” owner of the account on which you were trying to reset the password. After making several different test Gmail accounts and producing the same results; I determined that it was possible to reset any Gmail account password as long as it did not have a recovery email or phone number linked to it; simply by entering the approximate month and year of the account creation.

When attempting to regain access to a Gmail account, you are asked to answer some general questions about the account. The first question asks for the, “Last password you remember”. I was able to determine that any value could be entered into this field, even if it was never previously used as the account’s password. The second question asks, “When was the last time you were able to sign in to your Google Account?” I was able to enter dates as far back as September 12, 1990, even if I had created the Gmail account a few hours before that. The last question asked, “When did you create your Google Account?” Through trial and error, I was able to determine that this date only had to be within +/- 3 months from when the account was actually created. And the result? Success!

Needless to say it was hard to believe that it was this easy to gain access to a Gmail account with such little information. As any responsible security consultant would do, I reported this bug to Google’s “Bug Bounty Program”, but not before making a Proof of Concept video, just in case this bug “mysteriously” stopped working.

I sent an email to Google’s Bug Bounty program with a detailed explanation on how I was able to “recover” any Gmail account that did not have a phone number or backup email address attached to it, by simply guessing when the account was created. Later that evening I received an email back from Google saying, “We use a variety of signals when deciding to recover an account or not, I do not believe this to be a security risk…”, I immediately opened my web browser to Gmail and tried the exact same steps I did the day before to recovery an account, but “somehow” I was unable to trigger this bug.

Granted this bug did require specific circumstances; a Gmail account without a recovery email or phone number, and the knowledge of when the Gmail account was created. The latter is easier to find than most people think. Thanks to Facebook’s Timeline, Google linking with YouTube, and a little creative thinking, aneducated guess can be made as to when the account was created, +/- 3 months of course.

So exactly what did I find? You can decide that for yourself. As for me, I stopped believing in coincidences a long time ago.