Sunday, May 27, 2018

Security Vulnerability in Google Accounts

  


There is a bunch of security vulnerabilities on the google account which i have raised via issue :- https://issuetracker.google.com/issues/80305862. This issue exists not due to a technical failure but a weak user experience which makes it easy for a hacker to trick a victim into ceding access to their google accounts. Note this issue only affects people who have chosen to use their android devices as a authentication mechanism for their google accounts.


These popups (Above) appear at least 20 times on my Android phone. They shows up  without warning right in the middle of whatever it is that i may be doing.

Normally, i would have ignored this but the other day i was playing a game and was pressing ok and yes without much attention when this showed up and set my alarm bells ringing. So i decided to investigate this further.

Upon further scrutiny i found out that a hacker can write a small script to submit my user name to a google login form and generate this prompt.

Whats more the first 20 attempts per day to do this do not even have a captcha protection. 

If a hacker were to run this script against a 1000s of such accounts it is possible that at least 1-2% people would inadvertently press yes and cede access to their google accounts.

The second popup is worded even more confusingly . What does "Confirm Security lock" mean, if i click that and enter my screen lock to unlock my device to figure out whats going on I have already been hacked.

In view of all this i decided to change my password. And now i cant even do that since the link to change password is broken and is leading to a 404 not found with spammy content right on the *.google.com domain. (See video below)