Sunday, May 30, 2010

Gmail security

Gmail's logoImage via Wikipedia
Of late I read couple of posts about hacking of  Gmail accounts and took necessary steps like addition of alternate email address and mobile number to prevent such incidents happening to my account. Though my account seems to be safe as I get sms alert as well as email on my alternate email address, yet my today's experience with Gmail password recovery  was bit shocking.

Today, accidentally I logged into someone else's Gmail account. Year back I tried to create a Gmail address for my 2 years old daughter and wasn't sure whether I was able to get email address with her first name or a combination of first name and last name.

I just entered her first name and  password to login. It was a failure and assuming that I've forgotten the password, I went on to recover password from the recovery page. First screen was prefilled with firstname@gmail.com, on second screen I was asked to enter Father's middle name which I did and the result was a password reset screen. After resetting the password I landed in Gmail account. To my surprise the inbox was full of junk emails (I was still thinking it's the email address I created sometime back) and at the top of page, just below the search box, one standard yellow notification bar was showing an email address set as an alternate email address which  was probably yet to be verified.

Email address notification which was displaying an email address unknown to me and the last mail of date 2004 caught my attention. This is when I realized that I've logged into someone else's account.

I logged out immediately without performing any unethical action. If this password recovery process would have sent password or instructions on alternate email address or the process should have asked some other questions, this incident would have never happened. This is a major flaw in the password recovery flow. It's quite possible for two persons to have same middle name, especially in India. Guys @Google, if you happen to read this post, do revisit the flow for Gmail users who never bothered to add alternate email address or mobile number.