Someone's exploiting Google's account recovery system to send spam

September 9, 2016

I've written before that spammers will eventually exploit any way of sending some user-supplied text to arbitrary email addresses. Today I got a beautiful example of this, where someone appears to be exploiting Google's process of managing account recovery options to send spam. Yes, really.

(I can't be entirely sure of what's going on because the entire message is in Chinese and I'm feeding it through Google Translate in order to understand it.)

The email was send to a pseudo-address that's never actually existed, so I can be confident there's nothing legitimate about the whole episode. However, it's a real Google message, about how '[the] recovery email address for your account was changed' (based on the translation). The account in question is, which seems very clearly to be just made up by the spammer for this purpose. Almost all of the text of the message is the boiler-plate Google notifications you get here (albeit in Chinese), but the spammer has managed to somehow get in one line of their own text (perhaps by setting it as the 'name' of this GMail account).

I assume how this works is roughly that the spammer creates a bunch of random Google accounts, sets the 'name' or whatever appropriately, and then changes the recovery email address(es) to their targets. As you'd sort of want, Google automatically sends out a security notification, thereby transmitting the spammer's message for them. Apart from all of the work that's required to set this up, this seems rather neat and creative.

(I'm merely guessing that the spammer is exploiting the account name to get their text in; it could be something else. I don't have any experience with the English version of this Google message to give me clues.)

It also makes a good illustration of the lengths that spammers are prepared to go to and how hard it is to stop them, especially without impacting ordinary users. Stopping all user supplied text from leaking to email addresses under all circumstances is a very tall job; as with other security things, it's easy to add an innocent looking feature that opens up a hole or makes a previously harmless situation suddenly dangerous. And like other security issues, some of the obvious countermeasures are user-hostile. If Google doesn't include the user-supplied name in its security notification email, it forces people to try to remember what '' is, as opposed to giving them a hint.

Written on 09 September 2016.
« Why my smartphone is going to be an iPhone
Some notes on curating the set of CAs that Firefox trusts »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Sep 9 00:15:33 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.