New issue
Advanced search Search tips

Issue 625418 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Aug 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: ----



Sign in to add a comment

Problem with forgot password mode

Reported by aayushba...@gmail.com, Jul 2 2016 
Here were many technical terms shown but i found a major bug today , as i was checking through how secure is accounts of youtubers (as youtube uses gmail) i came acroos a major fault ,i was checking through the account of fouseytube as he is a youtuber i entred his email and click forgot password it asked many security questions and i dint know asnwers soo i jept on clicking now question and it asked my backup email i dint knew soo i click bext question and it asked me the month and the year my account was made and as fouseytube is big youtuber i knew when his account was made i gave write answer and it asked me my email to send me verification code , as its not my account i dint verify and dint logged in but like this anyone can get into anyones account therefore please fix it

Comment 1 by sterman@google.com, Aug 10 2016 

Hey,

Thanks for the bug report.

We've investigated your submission and made the decision not to track it as a security bug, as we know about that behavior you described. It will also not be accepted as part of our VRP.

We've reviewed our logs for the attempted recoveries on the account in question, and concluded that at no point was the account at any risk of being hijacked.  We often ask users for a contact email at which we can reach the claimant of a lost account before we have enough evidence to return the account.   We do this so that we can reach the user if we decide at some later date to give the account back.  We even sometimes send a verification code to the provided email account as a means of ensuring that the user did not mistype the address, which helps prevent us from handing the keys to an account to a stranger.

Comment 2 by groby@chromium.org, Aug 11 2016

Status: WontFix (was: Untriaged)

Sign in to add a comment