Cyber Edition:

It’s a Saturday night, I’m sitting in my company wardroom, trying to find a way to watch Mayweather/Manny when I get a text from a friend …

alternately titled

Use Two Factor Authentication for the love of everything holy please and thank you have a fantastic day

THIS IS WHAT I HAVE BEEN TRAINING FOR MY ENTIRE

NAVAL CAREER

15 Minutes Later …Hack hack hack hack

Hack hack hack hack

Alright honestly, that was faster than I expected

Time to continue my attempts to find the fight

A few hours and a disappointing loss later…

But then…

• I was like hey, I should try to get money from google for this

• So I turn off two factor auth, reset the security settings to where they were originally

• Go to replicate what I did before

That sneaky sonofabi-

• In the three minutes since I turned off two factor and set the default email back to his old one, this guy had reset his password and deleted the account

• But alas… google makes things too easy– *clicks account recovery link

Enter whatever email you want

So the last message my friends got was early today, so that first one’s easy.The first messages came last month, lets assume this is a burner created specifically for this purpose

Whattt?!?!? NO questions?Are you f*#&%ing kidding me?

Implications

• Burner accounts on gmail are vulnerable– The only method of authentication for a password

reset is when the account was created and when it last contacted you

– Their algorithm and all of those other complicated questions are ignored if you havent used an account enough to populate it with data• Leaves just a shitty time based authentication

» After breaking in I checked the account creation date, I was off by 2 months and Google still said it was fine.

• Guessing that guy is as freaked out as humanly possible

• Girls don’t want to press charges but will if he continues

• For now he’s locked out permanently• But back to Google…

• Sent el Goog a message detailing what I did and why that’s really bad for the good guys too

• Their response -

Hi,

Thanks for your note. Account recovery is a complex problem. On the one hand, it's important that people who forget their passwords are able to legitimately recover their accounts. This needs to be carefully balanced so attackers aren't able to exploit the system. There are many, many signals that are used in this process, some of which are difficult to properly assess in small scale testing. In this instance, we believe the account recovery process is working as intended. If you disagree, please attempt the account recovery process on our test account, please.break.in@gmail.com. If you are able to recover this account, please let us know. Otherwise, thanks for your report, and good luck on your future bug hunting!

Regards,Yousef

Damnit google.

• No sweet sweet google bucks for me

• Moral of the story, 2 factor authenticate everything, burner emails on gmail are inherently vulnerable, and google thinks that’s okay

• That’s probably the end of this adventure unless I go to Ars, but yay cyber

• Pew pew pew pew