Pets Considered Harmful

  Apr 26, 2004

Late last night, I read a post at the Bradlands about a Gmail security vulnerability which, I think, was the equivalent of having your sense slapped into yourself when you're really drunk. Except I wasn't drunk, I was kind of in a semi-permanent state of adoring, when I should've been thinking; I had pets. Oh, I still have pets, but now I have common sense as well.

Essentially, Gmail has the following security vulnerability:

All a person has to know to be able to break into your Gmail account is to click "forgot my password" and correctly guess your "secret question", that's it, that let's them set your password to whatever they want. So when you pick your "secret question", pick a personal question which is fucking ungoogleable! I did not, I picked "What is the name of your cat?".

When I put it like this, it does seem like common sense should have stopped me from doing so, right? Well, in my defense, when I picked the "secret question", I was under the impression that my password would be sent to my "secondary e-mail address" (also required to sign up for Gmail) when that question was answered correctly, not that anyone who'd be able to answer it could set a new password right then and there. That, and my cat is really adorable.

Should you forget your password, answering your "secret password" is the first and quickest option to set a new password, only if you've forgotten the answer to that question, too, does Gmail send the password to your "secondary e-mail address".

So the first thing I did, once sense was brutally but efficiently slapped into me, by reading that post, was of course to change my "secret question". It's a lot tougher to find out now (it might not be impossible, but it's definately ungoogleable). I also submitted a Gmail bug report.

The second thing I did was to Google for Gmail addresses, and to check the secret question for any I could find. I did find quite a few addresses, and most of them used the default secret question, asking for your mother's maiden name. Most Gmail users are seemingly from the US (which isn't so odd) and I have just about no idea how to find a US citizen's mother's maiden name using public records, nor where or how to dig for those public records online. Someone else might know, and if they do they have access to almost all Gmail accounts, but I don't.

I do know, however, how to use Google, and quite well at that. The first time I found a Gmail user with a similarly stupid "secret question" like mine, asking for the name of his puppy, my reaction can be described as "Aha!". I did just a little bit of Googling and found out his dog's name in less than a minute's time. I'm not the mischievous kind, well I wasn't yesterday night at least, so I didn't break into his account, instead I sent him an e-mail, warning him of his weak "secret question". He was grateful.

When I found the second Gmail account with a secret question asking for the name of a pet, there was no "Aha!" reaction, there was just pity. I was over the excitement of it. As a person newly awoken from the dreamlike state of dedicated reverence of a pet, I felt for him. So I sent him a similar e-mail as the previous one I sent, explaining that his "secret question" was weak and that it was all a person needed to answer in order to hijack his account. I've had no word from him, yet. (Update: He was thankful for the warning as well.)

The third time I found a Gmail account with a secret question asking for the name of a pet it was just a real downer. I sent him, too, the same e-mail, explaining the security vulnerability, and telling him he should change his "secret question". No word from him yet, either.

That was it, then I went to bed.

Between these three, I went through many accounts with a secret question asking for their mother's maiden name, which I didn't bother to look up, and a few other most likely ungoogleables, like asking for the hospital in which they were born, and some really obscure ones too.

Apparently, I was not the only one not thinking straight about the googleability of my pet's name. But then again, I didn't think that was all anyone needed to know to set a new password. So, people, Gmail users especially, pick an ungoogleable secret question, okay? Thanks.

But, let it be clear, that I'm not saying that Google's approach to retrieving access to your account when you've forgotten your password is wrong. I'm not sure it is. I do think Google should make it very clear when you pick that question that it is all anyone needs to answer to be able to hijack your account, as opposed to having the password sent to your secondary e-mail address.

After careful consideration, I actually think that Gmail's approach is totally right. They shouldn't send the password to the secondary e-mail address, they should just let you reset your password, then and there, once you answer your secret question. Why? Because your Gmail account is quite likely to outlive your secondary e-mail account, especially if your secondary e-mail account is a Hotmail or Yahoo account, which Gmail effectively replaces for all intents and purposes.

But they should be clearer about the purpose of that secret question.

Permanent link

Previous   Next >

Comments

  1. Sending a one time password to the alternative address, after a correct challenge/answer to the security question would be the smart choice. I am surprise Google was not doing that already.

    When they ask for a secondary, it makes sense that it would be used for when there is a "special" need for it. Resetting one's password qualifies as such, I think...

    Comment by David Collantes at 14:08, 26 Apr, 2004 #

  2. Also, it should be noted that the case mostly with hijackings of e-mail accounts, in my experience, is people you know. And people you know are all the more likely to know what your mother's maiden name is, or where you were born.

    So, beware of jealous boyfriends/girlfriends if you're using gmail ppl ;)

    Comment by Lego at 18:59, 26 Apr, 2004 #

  3. Finding out a user's mother's maiden name or hospital that they were born in is not as difficult as it sounds - especially small cities and towns. It does take more work than the average person would care to spend wasting time playing with someone's email, but if someone is really determined...

    For a maiden name, you could actually look that information up at the courthouse (or local gov. records office) because that info will be on a marriage license.

    A simpler solution, maiden names are often published in the paper for engagements and marriages. Notifications that include the hospital (or at least the town) are also published for someone's birth in the paper.

    Comment by Stephen at 22:08, 26 Apr, 2004 #

  4. Who would have thought that the real privacy concerns with Gmail would lie in its 'reset password' feature?!

    Comment by Sunny at 01:57, 27 Apr, 2004 #

  5. Lol! It just keeps getting more interesting :)

    It would be hard for someone to guess my library card ID I'm sure but now that I know it's ALL you need to hijack an account I'm thinking of changing it to some random mess of characters. I never forget my passwords =]

    Comment by cyberhill at 09:52, 27 Apr, 2004 #

  6. Honestly, I can't believe people really do fill in the secret question fields. Every time a website requests it, I just type garbage. I don't think I ever seriously answered. I'd rather lose my mail archives or whatever I set up online than let someone else access it.

    Comment by garoo at 00:28, 28 Apr, 2004 #

  7. I don't know how you do it Tomas — I've tried for an hour with no luck! ;)

    Comment by swimp at 00:44, 28 Apr, 2004 #

  8. I'm with garoo! Even if answering the question correctly doesn't let you change the password on the spot, it will likely trigger an e-mail confirmation. Someone could use that to annoy the crap out of you. I just type a long string of garbage text. A few sites that require you to enter your secret question answer twice, so then it's just copy-pasted garbage text.

    I don't forget my passwords.

    Comment by Mark J at 10:01, 30 Apr, 2004 #

  9. Ok so how do I change my secret question?

    Comment by paul at 01:39, 02 May, 2004 #

  10. paul: You change it in the settings.

    Comment by Tomas at 04:00, 02 May, 2004 #

  11. The solution provided has been to always use the password question. Which leaves us, the people with stolen accounts, without account :(

    Comment by fernand0 at 13:33, 09 Jun, 2004 #

The discussion has been closed on this entry. Thanks to everybody who participated.

Jogin.com

Devil's Advocate Extraordinaire

Ads

Recent Entries

  1. Later
  2. Penis tax
  3. Traffic
  4. Free Willy
  5. Boooring