A story was recently posted on a social network called Reddit by one of its users about how his kid changed his Google account password without any stress and went ahead to purchase an app from the Play Store.
Here’s the story from the Redditor.
I just discovered what seems to me a massive security loophole. Please someone tell me if the following makes any sense.
My son was playing on my phone (Galaxy S3). He tried to purchase in app items on Subway Surfer but didn’t know the password. So, he followed the following steps to reset my password from my phone without having to enterany information about the account:
Starting from the screen after you click “buy,”
- Click the question mark next to the password box when asked to confirm password for a purchase.
- Click “forgot password.”
- Click “I don’t know.”
- Leave the selection on the page at “Confirm password reset on my Android Samsung SCH-I535 phone.”
- Click “Yes”
- Click “Allow Password Reset.
- Enter and confirm new Password.
And that allowed someone with absolutely no knowledge about my Google account, and access only to my phone, to reset a new password for my entire Google account.
I guess this vulnerability isn’t new in Android devices but now that someone took the time to share this, its left for Android users to mind who you let handle your phone as there might not be a possible solution to this or do you think Google could do something about it.