SCF Advanced Search

  • Total Members: 13155
  • Latest: Akhand
  • Total Posts: 32810
  • Total Topics: 9927
  • Online Today: 1416
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Cracking / Hacking a Gmail Account  (Read 1774 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Administrator
  • *****
  • Posts: 7444
  • KARMA: 312
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Cracking / Hacking a Gmail Account
« on: 28. September 2008., 10:00:36 »

Who is the real identity behind that Gmail account? While finding out may not be as easy as knowing who is behind (Homer Simpson, for the curious), it apparently isn't much harder.

Yahoo might have recently attracted attention for the public compromise of one of US Vice Presidential nominee Sarah Palin's accounts, but there are people looking at all providers for weaknesses in account creation (spammers), account recovery (hackers), or other account management functions, such as the identity behind the address.

There are varying levels of success in each area, with many security people who pay attention to the latest developments in CAPTCHA-breaking believing that the major webmail providers have been compromised to a level where it is viable for automated spamming.

In the area of account recovery, anyone who watches the Full Disclosure mailing list will note from time to time claims of malfeasance from various unheard-of groups who claim to have the full webmail mail file of one or more security identities. The Sarah Palin case has publicly demonstrated for everyone else the many problems that can be associated with not selecting secure enough security questions (and the problem of determining what is secure in the first place).

There isn't as much focus on finding the identity behind a random webmail account, but Google apparently seems to have several (unintentional) methods to recover the registered first and last names associated with an account. In a demonstration of why it is always polite to acknowledge security issues, Google was previously notified of a similar issue, by the same researcher, but they silently fixed it. Not happy with the approach taken last time, the researcher publicly disclosed enough of their rediscovered issue for many who had discovered equivalent problems to come forward with their own examples.

Information that can be recovered is only as good as the information that was originally supplied, but who really signs up to a webmail provider with a fake name? If you were already taking steps to blur your online identity, then it probably isn't going to work against you. Rather, it is the majority of users, who take no real effort to hide their identity when using online services, who can have their details rapidly recovered.

With spammers who have managed to automatically create a number of spam accounts, this allows them to send highly personalized spam to their targets and improve the chances of having it slip past the Gmail filters. Spear phishers might already know who owns an account, but this might help gain leverage on co-workers or add extra legitimacy by identifying others who the target would already know about but who the phisher wouldn't directly know.

Highly personalized spam might be an annoyance, and it might be unsettling to be the target of a Spear Phisher (if you even pick up on the attempt). It will certainly be annoying for your Information Security people, but what of the biggest risk, account hijacking?

Let's say you set out to hijack a random someone's Gmail account. Using one of the different methods freely available, you manage to recover your target's first and last name. If you're not being picky, you spread your efforts over a range of addresses in order to build a range of options for the next step. Using the likelihood that someone from the list of names gathered has linked their Gmail account to one at MySpace, FaceBook, LinkedIn, or some other networking site you then dig your way through the list compiling a basic profile on each person who has done so and then use account recovery procedures to reset passwords or directly gain access to your victim's account.

Sure, you could always establish a fake Gmail account and do whatever it is you want from there, but there is always the chance that you will be traced, hence the use of an account that is not yours. It is like using someone else's open wireless access point without their knowledge. If you do something malicious, the investigation will target them first, but eventually when you are tracked down, it will be all the worse for you.

Proving that a malicious email didn't come from you might be a little harder than proving that someone accessed your network without permission, but an email account hijack is certainly a technical feasibility. It will be difficult to prove that it did happen, and it can be difficult to prove that it didn't.

Investigators and security personnel need to be aware that it can happen, and that it can happen quite easily. Users need to be aware that it can happen, and to contact their webmail service provider in the first instance if they believe something has happened.

News Source: PC World

Samker's Computer Forum -

Cracking / Hacking a Gmail Account
« on: 28. September 2008., 10:00:36 »
Sponsored Links:


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising