I like to check the password retrieval
option of different sites and when i was checking out Gmail's option i
found and interesting thing. Its not something ingenious or new thing
but thought of sharing the observation with everybody so please forgive
me if it seemed to you a time waste.
So first lets take a look at the Gmail's password retrieval option.
So
when you click on the 'forgot password' option and provide the email
id, in Gmail it gives you three password reseting options.
it sends the password reseting link to your alternate email id, which you had provided during the account creation.
It sends a random password reseting code to your mobile through sms which you have provided during account creation.
It asks the security question whose answer you have provided during the account creation
(it asks the security question only if the account has been not logged on for the last 24 hours.)
now the first two
option are of no help unless you have hacked the alternate email id or
somehow you have in you possession the the users mobile. Mostly all
major sites asks two security questions but Gmail asks only one (only if
the account has not been logged into for the last 24 hours) now random
questions are sometime hard to guess but here again Gmail makes the
mistake, to see it we will have to go back in time when the account is
actually being created. While creating a Gmail ID it asks you to choose a
security question , it gives you the option to select a question from
the default set of questions which Gmail provides for the users
convenience or you can create your own question. But mostly the users
selects one of the default question, (there can be many reasons for this
foolishness, like impatience to start a account , laziness or the
person may have not understood its importance. Now if we take a look at
the default questions they are mostly odd and so mostly the person
selects one of the following familiar default questions.
What was your first ever mobile number .
What was the name of your first ever teacher.
For the first
question the person doesn't understand the importance of giving a unique
answer which only he knows and he casually gives his current mobile
number as the answer. (in india mostly all the young account user are
using their first mobile number and they give it as answer).
Now
this are very easy questions to guess and Facebook makes it more easier
than you can imagine as mostly all Facebook users provide their current
mobile in their personal information section.now all you have to do is
answer the securtiy question and reset the account. once you reset the
gmail account you can easily reset the Facebook account linked to it by
using the Facebook's password retrieval option. But Facebook has one
more line of defense when you reset the Facebook's password. When you
log into it the first time it won't stop you but it will notice that the
account has been logged in from the computer with a different IP
address and when you try to log in the next time it will all ask you
some easy confirmation questions to make sure you are the real account
holder.
Now many of you
would think that the probability of success of this method will be very
low. So i conducted a small survey of my friend's Facebook accounts
(with their prier permission) lets have a look at what i found out.
I selected 20 of my close friends who use their Gmail account to log in Facebook.
14 of them had not logged into their Gmail account for the last 24 hrs.
5 of them had the security question about first mobile number and 2 had the question about first ever teacher.
3
out of the 5 had given their current mobile no. as the answer which i
easily got from their Facebook account information and 1 out of the 2
with the question first ever teacher was my classmate and after some
tries i got the right answer.
So in under an hour i could have reseted 4 out of the 20 Facebook account.
So by seeing the above result you can guess how careless sometimes the user is towards his online privacy.
( I wrote this post
to make the readers aware of how even small carelessness can put their
online security at risk. This should not be tried as the account
password is reseted and the victim will soon find it out and i myself
consider reseting others password the most sadistic online act. )