So my gmail account got hacked. Yes, painful, but also very instructive. Firstly, I still do not know exactly how it got hacked. I don’t use any public computer. In fact, I haven’t used any other machine besides my own laptop (Mac) and my iPhone in a very very long time. I don’t sign up for any offers on the internet, and do not install any crap software. Besides, isn’t the Mac supposed to be very safe?
Anyhow, I got hacked and that’s that. The hacker then started sending emails from my account to everyone I have ever communicated with asking for money. The amazing thing about this story is that all the emails sent are very very impersonal, don’t salute the recipient in any way, and are full of grammatical and spelling errors. Yet, the content matter is so sensational (being robbed at gunpoint in some foreign country), that everyone gets worried about my safety. If I received a similar letter, I wouldn’t sit and analyze this, and would fall for it as well. So far, they have preyed on the emotions of their victims through me as the medium.
During the course of trying to get my account back, I ran into some of the issues and got a sneak peak about exactly how these hackers then try to exploit the system, GMail in particular. I had my Yahoo account set up as the secondary email in case of emergencies, or verification. The hacker was quick to change the secondary account first. Gmail has a system of sending verification to a mobile device. This too got changed quickly to some mobile number in Nigeria. During this time, I tried in vain to gain control by asking Gmail to reset my password and send me the password reset code. Gmail only shows that they sent the reset code to firstname.lastname@example.org, but not the username at the yahoo.com address. So while I was waiting for my password reset code to arrive at my yahoo.com address, the hacker was seeing password reset requests come in to the temporary yahoo address he had set up. I am sure he was laughing at my stupidity and the fact that I sent in multiple requests when the first one failed.
Ok, I was baffled. So I went through the GMail system to report that my account has been compromised. I had to fill in multiple details, including when my account was first started, and the invitation code I used to join (if at all). Obviously, I didnt have any of these, but I made best guesses, and lo and behold, GMail returned my account back to me. I was able to reset my password, and rejoice.
Alas, too soon!
After proclaiming victory, I tried to send a few emails, etc. and it all worked fine. I promptly sent emails to a huge list of people warning them that I had been hacked, and to ignore requests from me for money. There were a few people in the list that I wouldnt have minded getting some money from, but this had to be done.
The hacker, during this time, had very smartly set up a forwarding rule so that he was getting all the emails that I was receiving on my account. This, by itself, is not much. But here comes the most amazing part of how Google engineers missed seeing this as a threat, but these hackers have managed to exploit it. Before I explain what the flaw is, a little diversion into the background.
GMail allows one account to send emails while masquerading as another account. This was designed primarily so that I can have multiple gmail accounts (including Google Apps email accounts like I have a @gmail.com and a @gigzee.com account), and still be able to use one primary account and send emails from it for all the different accounts. Great idea, and I love it. All this takes to set up is a simple verification email. So, say you have email@example.com and firstname.lastname@example.org. If you want email@example.com to be able to send emails and still show up as firstname.lastname@example.org, you can go to your settings, set up another email address and this will send a verification email to email@example.com. After clicking on the verification link and entering the code, firstname.lastname@example.org can now send as email@example.com. If you delete the verification email from the a1 account, there is NOTHING in the settings or account panel of firstname.lastname@example.org that shows that b2 is still sending emails as a1.
This is exactly what the hacker has done. He has set up another gmail account, and is sending emails on behalf of my gmail account. During this time, he is also receiving the auto-forwarded emails of my account. So even though I have changed my password, and declared victory, he can still receive and send emails just as if he were in full control.
So, step 1, I removed the forwarding rule. Ok, now he cannot get any emails sent to me. Yayyy!
What about his ability to send emails? Turns out that there isn’t any additional verification after the initial verification. What’s more, there is no indication anywhere on my account settings that shows me how many other people can send emails as me. This is terrible. So while I have full control with brand new passwords, the hacker can simply keep sending emails to anyone he likes pretending to be me, ruining my reputation in the process.
GMail – I am not sure how you could have missed this in one of your threat model analyses. But please add an option in account settings where I can control who all can send emails pretending to be me. Meanwhile, the hacker has a field day in sending emails from my account, and can do so as and when he pleases. I am writing a letter to GMail as well so that they can fix this, but if you get any email from me asking for money (personal or not), please don’t wire it to somewhere in Europe. Now, if you want to hand over some cash to me in person, feel free to give me a call!