Google Recovery Based Password Reset Flaw


Hi There,
I have been looking in Google Reset Recovery Method for gmail for quite some time.
Before April 2017
Anyone could have reset gmail password using correct account creation date and month with a tolerance value of 4 months if you are initiating recovery process from a trusted home network which you have previously used to login in your account.
Home Network n IP thing can easily bypassed if you know your user IP and spoof your IP to 3 places of network address same as user using some kind of proxy server (not hard in some cases ) Also some neat trick would be like asking person to share Hotspot to access internet and then initiate a recovery for the same user.

How ever when google rollout its new UI and Security login update in april 2017.This thing gone.
Now Recovery mechanism dont rely on IP or Trusted Home network.
Now They Have tagged this with Account_Chooser and GAPS Cookie.
Now if You have these cookie of any user account no matter if he is signed out of his account
one can reset the password using above mentioned method.
I want to ask if there is anyone who used this or working on this method :smiley:
Some Advice will here will be usefull and correct me if Iā€™m wrong somewhere in this.


(Not a N00b, but still learning) #2

One problem I think will be hard to get around: How would you guess the account creation date? Is there a limit of wrong tries?


(Leader & Offsec Engineer & Forum Daddy) #3

That kind of information is possible through elicitation or hard research of somebody.

So they only have one cookie? If you can obtain this, why would you not just get the login cookie?

Also, how have you obtained this information? Is there a Google write-up somewhere? Or have you done your own research.


(Not a N00b, but still learning) #4

Funny thing, I already tried to reset my Google password more than once, and always failed at that question. How should I remember when I created my account? :joy:
Generally speaking, one has to be a very creative Social Engineer to wrap this question in a plausible context. Would love to hear about some ideas :slight_smile:



There is a security hole in your account if you created it in a specific time. When did you create your account?

I got my google account now for almost 6.5 years. How long do you have yours?

My first google history entry is 5 years old. How old is yours?

I think you can get the date more or less exact easily
1 Like


Yes there are 4 attempts limit after that it blocks the attempt and can only try after some time
but as i said there is around 4 month tolerance limit, so in 4 attempts u can cover up to 2 years



because if user is signed out of gmail then there is no use of login_cookies but account_chooser cookie still be there.
There is no google write up on this anywhere.I have researched on this many times, thought if any one came across the same will be a good point of discussion

1 Like

(system) closed #8

This topic was automatically closed after 30 days. New replies are no longer allowed.