This weekend I decided to change my Google account password. In response, Google sent me an email to the account address, notifying me of this fact. The email told me that if I did not change my password (and apparently someone else did it for me) I should click on a link to reset my password. Excellent service right? Until I realised we are all doomed!
Doomed because this is the perfect password phishing email! Send all Google account holders this email, and many of them will click on this link because they (indeed) did not change their password. Let the link point to a website that looks like the genuine Google password reset page. And ask all users to enter their old password before offering to reset it. Then, using the old password just entered, take over the account.
Doomed because I have no clue how to prevent this. Sending the email makes perfect sense to notify people of possibly suspicious behaviour on their account. Offering a link to click makes perfect sense from a usability perspective. But because people hardly ever visit the Google account recovery page, they have no idea what to expect, and will be quite gullible to enter whatever information is asked of them. In fact, they would expect to have to enter a lot of information to prove they are the real owner of the account. So hackers can also ask for a additional information like credit card information as well. (Don’t laugh: I’ve once tried to regain control over an account at Google that someone screwed up and I was in fact asked to supply credit card information… I did not comply and was forced to abandon the account and create a new one).
Embedding some secret information in the account recovery page that the account holder should recognise does not help. Because you hardly ever visit this page, you don’t know you should look for this authenticating piece of information. (If, however, this was standard practice for all account recovery pages, this might actually work. But note that in this case the reset link in the email should contain an access token that allows the account reset page to retrieve the secret information from within your account.)
If anybody has an idea, please mention it in the comment section below!