Gmail SMS Verfication loophole exposed by HackingLoops

Hello friends, so first day of new year almost comes to an end, :P and we all are safe (some rumors were there that world gonna destroyed in 2012). HackingLoops is dedicating 2012 to online and web security i.e. exposing the loopholes and either fixing them or asking web masters to get it fixed. 

Note: If any Google guy is reading this, please raise a CR(change request) to get it fixed as soon as possible.

Gmail is world most famous free email service and its a prominent part of Google but they always pay attention when i expose their loopholes. Like i previously did for GX cookie loophole, which make the hackers to own the users Gmail account from cookies. But Google reaction was quick and they fixed that just 4 business days after i exposed it but that was the temporary solution, they have taken more than month to completely fixed that. So friends, lets me explain you where i have found the new bug, may be all of you know that because its too common service. But you might have missed that. So i will expose it today, so that Google will fix it as soon as possible.

hack gmail account password, Gmail mobile verification, SMS alerts
Gmail Mobile verification Loopholes
 Actually this is not one loophole, there are two big loopholes in SMS verification that i have discovered in Gmail SMS verification and password reset method. So friends from which i start, dangerous one first or mild one first.
ok..ok.. lets save the best one for last.

1. Mobile number as optional Field
As far as i know security norms, Google should make the mobile phone verification mandatory at least at the time of creation of new Gmail account. Following are the benefits of that:
a. Tracing a user will be easier: Hackers uses anonymous or fake Gmail accounts to get keylogger logs and sending fake emails to users. If we have mobile number of the Gmail account user, we can trace him back in just a manner of few seconds.
b. Mobile number and its location should be validated using the Google maps and IP address used for registering the Email account: Hackingloops is suggesting this because as a hacker, i always try to create a spoof account in which almost every detail is wrong. So for complete traceability, it should be validated geographically. I think its not that tough for cool coders to code that stuff.

This loophole is just a minor in its category but it will prove its worth, when some hacker tries to hack anything serious by using a anonymous Gmail account. If Google realizes these things earlier then they can surely put a track on malicious users and can monitor their day to day activity. But as i said until i wont expose the things, they will not fix it. I know everything is not perfect but as a Internet Giant, you guys should be perfect.

2. Forgot Password SMS verification code message
This is extremely dangerous loophole and can be greatly exploited using the Social Engineering technique. Two to three days back, i was talking with one of my client, he was explaining me that his Gmail account has been hacked. He told me that he is aware of all these techniques like Key stroke logging or Phishing that hackers use to hack the email accounts. Below is the scenario between Hackingloops client(Rahul das, works in software firm) and me(Lokesh Singh) explained to me:

Client: My Gmail account has been hacked.
Me(Lokesh): Have you got any email.


Client : Yes, i daily get lot of emails.
Me: I mean any suspicious or unsolicited or Lottery Prize email.


Client : Yes, lot of such emails but i never open any such email and also i haven't open any link from my email.
Me: Ok. Its nice that you are aware of these stuff. May be you have installed some new application or software in your PC or have your hands on some hack tool.


Client: No, i haven't installed anything from last few weeks.
Me: Ok. Then for sure you might have signed up for some new website.


Client : Yes, i signed on one website yesterday and after that only i am unable to login into my account. But i haven't used the same password there that i use for my Gmail.
Me: ok, tell me from where you got to this site means do you find that from Google or somebody has referred that to you.


Client : Yeah, one person having email ID something like earnunlimitedmoney@gmail.com has told me about that site. But today that site is also down.
Me: What was website name.


Client: Something like make money by displaying adds on your website.
Me: ok. Do you know the guy with Email earnmoneyunlimited@gmail.com. means he is friends of your's.


Client: No, i just got his Gtalk invitation, a day back. But i have talked with him personally and he was saying "You will get 50% of my Google Adsense revenue every article you write on my website" 
Me: OK, can tell me did he asked anything special like some registration or mobile verification code or anything similar.


Client: Yes, he told me that you will get a Verfication code from Google on your Mobile, that you need to provide me so that i can attach you with my Google Adsense account.
Me: Can you forward me that message.

Now friends, what will be my reaction after seeing that message..  __|__ fk... what the hell... Message was saying "Your Google Verification code is 516826".  Now anyone of you guessed it... when we get this message.
ok...ok... i give you time to guess... did you all got it... no...ok.. i will tell you..

Its a Google Verification code which you get when you select FORGOT PASSWORD option and then enters your mobile number to get the password reset code...
This is really a dangerous Loophole...Isn't it ... anybody can be fooled using this trick...

If any Gmail or Google employee or staff member is reading it, please ask your boss to raise a change request for this.

Ok..ok.. i make the situation even more worse... Now hacker has resetted my clients passwords, but he was more smarter than i thought....What he has done he changed all recovery options, even the mobile number. Now my client has no chance to get his credentials back. But it was my clients luck that he told me about the scenario and he got his account back and hacker asked sorry for his activites.. :P I hacked the hackers system(PC) using his IP address which i got through readnotify. I will explain that procedure later someday, because its unethical to hack someone...

Lets concentrate on loophole, now consider my point:
Don't you think the password reset message should contain the text password reset code is blah blah... I had never thought of such scenario can happen and anybody can exploit this loophole to that extent. Google guys correct these bugs, this doesn't cost you much but a email account costs much for the user who is having a blind faith on you Guys. 

Some suggestions by HackingLoops:
1. For Gmail Password Reset:
The message can be something like 
" Dear Gmail User(Name), 
Your Gmail Password reset verification code is 123456"
or 
"Dear user,
You have requested a password reset for your Google account (email). Your verification code is 123456".

I think both of them are less than 160 chars and can be easily sent to user and :P can be easily configured in Google SMS module.

2. If Google doesn't want to change much of their functionality, then you can use something like:
Dear user(name),
You have requested a Password Reset verification code for account(email). Your code is 123456".

I think friends, you all have recognized what the loopholes are, and surely some of Google Guy must read this, so just wait how soon Google fixes these loophole..

Stay connected with Hackingloops and keep getting latest security updates and tricks..

19 comments:

  1. please tell me how to identify if my Samsung galaxy android is hacked when all IP
    address are fake
    Thank you for your time.

    ReplyDelete
  2. can u help me personaly. I want a password hacked from gmail accounts. Plz contact me at vaisakh.menontcr@yahoo.com.

    ReplyDelete
  3. hello frnd my gmail account has been hacked on may 30th 2012. All my personal backups are holded in tat. Pl help me.. contact mail id is aravindice@yahoo.com

    ReplyDelete
  4. I have been continually hacked, harrassed, and people make fake profiles about me on facebook. I have a suspicion of who it might be, would you be willing to help me obtain a gmail and/or facebook password? Maddog6786@hotmail.com

    ReplyDelete
  5. need psw of this account please gadragadraabderrahim@gmail.com

    ReplyDelete
  6. hahahaahaa.. i cant stop laughing, try ma system..:P, well dont take ur readers so much fools...:P, as soon as i had read ur blog, now i can clearly know that u are..aa...Just guss what does i really mean....

    ReplyDelete
  7. sir, i forgot my password and recovery question and other details what can i do please contact me at my id shrikrishnaapj@gmail.com

    ReplyDelete
  8. Hi Guys

    Can anyone help me? I urgently need to get the password to lewisterryj@gmail.com This guy has stolen loads of money from people and the police are to damn slow to catch him. If I can get his account, I can see what he has been up too. Please guys help me. email me the password to info@tjltrnasport.co.za please please please please, this idiot owes me alot of money.

    ReplyDelete
  9. Lokest sir, yesterday i accidently downloaded and installed mysearchresult.com tab. it is not getting deleted from my chrome. i have tried all sorts of things to remove it but still it is not getting removed.

    Help will be greatly appreciated.


    Thanks and Regards
    Zaid Memon
    Nagpur.

    ReplyDelete
  10. Dear Lokesh jee,

    plz help me, my gmail account has been hacked by someone & changed all my recovery option... now i am in same trouble as ur client was... plz help me also to get back my password or reset it.
    waiting for your reply & thx in advance.


    regards,
    Rajeev ke.
    rajeevk472@gmail.com

    ReplyDelete
  11. Fools. Try hacking into my email addresses. I own an accounting firm in Guyana and my income is over $50,000 US dollars per year. I have heightened security and my house is under a secure gated community.

    You poor hackers can't even dare hack into my accounts.

    Try hacking into my email addresses at your own risk:

    ramesh_s@hotmail.com
    bishandco@gmail.com
    www.bishandco.com
    jaseebarran@yahoo.com
    jessica_persaud_82@hotmail.com

    ReplyDelete
  12. Lokesh need help, the paid service please contact at jasvinder.jabbal@gmail.com

    ReplyDelete
  13. Hi lakeshore, dude I really admire your teachings and techniques"Tops"
    It would be an honor and privilege if you could mentor me

    Regards
    Avishkar
    avi.baiju@gmail.com

    ReplyDelete
  14. After two years, I have finally come to understand how I kept getting hacked despite practicing account and web safety. Despite weekly changing my password, adding two-step verification, and having an eye for detail involving my surroundings.It is harder when your electronic stalker is someone you know and has access to basic information. I went from opening up my first email account in 2011, with no web expeireince, to figuring out how to use command prompt-to finally gathering on my own (because no one could explain anything other than changing the password) enough proof to file a police report.

    ReplyDelete
  15. please i need a gmail password for my account with was hacked of recent please if there is anyone willing to help me please send me an email at mugabi25@gmail.com

    ReplyDelete
  16. please i need a my gmailpassward which lost and my no are not available plese tell me my gmail at dolly.whitedovegupta94@gmail.com reply email is hariom.meena123@gmail.com

    ReplyDelete

Please do not spam.

Copyright © 2012 Learn How to Hack - Best Online Ethical Hacking Website All Right Reserved
Designed by Hackingloops.