Anyone can easily reset your Google password using your Android phone, highlighting a massive security loophole that’s been around a while and still hasn’t been fixed…
You may think your Android phone is safe in your children’s hands (unless the butter-fingered tykes are prone to dropping things on concrete floors), but a Samsung Galaxy S3 user just told of how his son reset his Google account password when playing with his smartphone.
The story, posted on Reddit, revealed how the man’s son managed to change his password while making an app purchase on the Android phone.
When the app purchase password confirmation popped up, the boy wasn’t deterred. He clicked on the question mark next to the password box, and then he tapped the forgot password link, followed by ‘I don’t know’.
He was then given the option to send the password reset link to the very same Android phone, which allowed the wee tyke to enter a brand new password.
We tried this on our phone and were able to follow the steps above, although we were asked for a verification code to be sent to the phone via SMS. Seconds later it arrived and we entered it on the browser page, enabling us to reset the password for our entire Google account, on our Android device (LG G3).
Alternatively, you can ask for the verification code to be sent via an automated phone call – which goes through to the mobile phone you’re using or the one registered to your Google account (more than likely, the same phone number).
Although this seems pretty obvious, it is a big concern because it means that anyone who has your phone can basically change your master Google password and get into all of your account info – including personal data, emails, calendars and whatever other secrets you store away in there.
Karcirate, whose son managed to hack his Google account, wrote on Reddit: “[Google] allowed someone with absolutely no knowledge about my Google account, and access only to my phone, to reset a new password for my entire Google account.”
Of course, you can secure your device by ensuring you have a lock code, password or even face recognition set up on your device so only you can use it, but it’s certainly not that straightforward if you allow your children to use your phone.
That’s why we recommend using some kind of guest mode, which block the little buggers from getting online while messing with your mobile. And Google has responded by pointing out that its services are intended to be used without supervision. Frankly, if you just hand your mobile to your kids and let them do what they like, you’re pretty much asking for trouble…
And of course, if you’re unfortunate enough to lose your Android phone, make sure you turn on Google’s 2-step verification and update your mobile phone details immediately via your home computer.