Skip to content

Gmail security vulnerability?

This has happened to me twice now – getting my Gmail password reset

after coming back from a trip. It reaffirms that no one should use email as file storage.

It’s ridiculous. The first time it happened, I had no way to recover it except by remembering exactly when I started using Gmail, Calendar, Docs, and Notebook. (I never gave Google an alternative email and never registered my phone)

I had to ask Nima when I first sent him an email, recalling that we both beta-tested Gmail in its early years. I figured out when I started using Calendar by asking Jasmina (who has access to my calendar) the date of the first event on it. Docs, for some reason, I remembered the first time I used it. Notebook was a tricky one. I knew I only recently started using it to keep track of certain lists, so I checked the creation time stamp on the bookmark link .lnk file. It was an NT timestamp, so that took a while to figure out.

After a few hours, I finally found my way back into my email… that was empty. All my emails and attachments since 2004 were destroyed! As a countermeasure, I created another gmail account to use as an archive where I set up forwarding of all my future mail. I registered my other non-gmail accounts as the primary reset email address, and registered my phone.

All is fine and dandy, until I got back from Yosem

ite last Friday to find myself locked out of my gmail, again.

I got a text from Google with my email reset code, and my archive email has an email to reset my password. Note – these notifications were NOT requested by me, which means someone used the password reset option and guessed the reset url Google provided. Not good. The url is 20 characters, and it seems like 128-bit ASCII, or 128^20 entropy. Looks secure enough to me. The account activity log shows 3 accesses not from me:

Gmail access log showing unauthorized access.

Gmail access log showing unauthorized access.

I went camping August 17 to August 20, which means the accesses via Browser (IMAP was from my phone) were not me. Doing a whois lookup showed that those IP addresses belong to two bulletproof servers, Sil.at and FDCservers.

Bullet Proof server screen shot

Sil.at

Bullet Proof server screen shot

FDCservers

I’ve hit a dead end here. There’s no more trace of the attack and the only thing I could do was to call up these servers and demand termination to the user, I mean, FDCservers’ AUP even says they don’t allow illegal activites. I figured that’s more trouble than it’s worth. Maybe I’ll call them up next time it happens. For now, my archive-and-reset system works fine.

Has anyone else had this problem with Gmail?

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*