Tuesday, December 13, 2011

HACKING GMAIL AND FACEBOOK ACCOUNTS USING GMAIL SECURITY QUESTION

I like to check the password retrieval option of different sites and when i was checking out Gmail's option i found and interesting thing. Its not something ingenious or new thing but thought of sharing the observation with everybody so please forgive me if it seemed to you a time waste.
So first lets take a look at the Gmail's password retrieval option.
So when you click on the 'forgot password' option and provide the email id, in Gmail it gives you three password reseting options.
  1. it sends the password reseting link to your alternate email id, which you had provided during the account creation.
  2. It sends a random password reseting code to your mobile through sms which you have provided during account creation.
  3. It asks the security question whose answer you have provided during the account creation
    (it asks the security question only if the account has been not logged on for the last 24 hours.)

now the first two option are of no help unless you have hacked the alternate email id or somehow you have in you possession the the users mobile. Mostly all major sites asks two security questions but Gmail asks only one (only if the account has not been logged into for the last 24 hours) now random questions are sometime hard to guess but here again Gmail makes the mistake, to see it we will have to go back in time when the account is actually being created. While creating a Gmail ID it asks you to choose a security question , it gives you the option to select a question from the default set of questions which Gmail provides for the users convenience or you can create your own question. But mostly the users selects one of the default question, (there can be many reasons for this foolishness, like impatience to start a account , laziness or the person may have not understood its importance. Now if we take a look at the default questions they are mostly odd and so mostly the person selects one of the following familiar default questions.
  1. What was your first ever mobile number .
  2. What was the name of your first ever teacher.
For the first question the person doesn't understand the importance of giving a unique answer which only he knows and he casually gives his current mobile number as the answer. (in india mostly all the young account user are using their first mobile number and they give it as answer).
Now this are very easy questions to guess and Facebook makes it more easier than you can imagine as mostly all Facebook users provide their current mobile in their personal information section.now all you have to do is answer the securtiy question and reset the account. once you reset the gmail account you can easily reset the Facebook account linked to it by using the Facebook's password retrieval option. But Facebook has one more line of defense when you reset the Facebook's password. When you log into it the first time it won't stop you but it will notice that the account has been logged in from the computer with a different IP address and when you try to log in the next time it will all ask you some easy confirmation questions to make sure you are the real account holder.

Now many of you would think that the probability of success of this method will be very low. So i conducted a small survey of my friend's Facebook accounts (with their prier permission) lets have a look at what i found out.
I selected 20 of my close friends who use their Gmail account to log in Facebook.
14 of them had not logged into their Gmail account for the last 24 hrs.
5 of them had the security question about first mobile number and 2 had the question about first ever teacher.
3 out of the 5 had given their current mobile no. as the answer which i easily got from their Facebook account information and 1 out of the 2 with the question first ever teacher was my classmate and after some tries i got the right answer.
So in under an hour i could have reseted 4 out of the 20 Facebook account.
So by seeing the above result you can guess how careless sometimes the user is towards his online privacy.

( I wrote this post to make the readers aware of how even small carelessness can put their online security at risk. This should not be tried as the account password is reseted and the victim will soon find it out and i myself consider reseting others password the most sadistic online act. )

No comments:

Twitter Bird Gadget