A Reddit user just posted an article about how his son was able to reset his phone's password to buy an app from the Play Store. And no, the kid is not a Mozart of hacking, the reset was very simple. He didn't even have to enter any account information to be able to change the password. Here is the article:
Come on, we're nice, here's the translation. But frankly guys, if you can't understand that, you really need to learn English.
I just discovered what appears to be a huge breach. Please someone tell me if the following makes sense?
My son was playing on my phone (a Galaxy S3). He tried to make in-app purchases on the Subway Surfer game but didn't know the password. He therefore followed the steps below to reset my password from my phone without having to enter the lesser account information:
Starting from the screen after clicking on "buy"
- Tap the question mark next to the password field when asked to confirm the password to purchase.
- Click on “forgot password”
- Click on "I don't know"
- Leave the box checked on “confirm password reset on my Samsung Android SCH-I535 phone”
- Click "yes"
- Click on “allow password reset”
- Enter and confirm the new password.
And it allowed someone with no information about my Google account, and only having access to my phone, to change the password for my entire Google account.
And the worst part is that it's not even a recent flaw. It has always been possible. This is what could please Apple, which had already denounced the Play Store to the competition authorities. It should be emphasized, however, that the problem only concerns the least cautious among us. The thing is, our victim here didn't enable two-step verification.
So if this is also your case, you know what to do. One thing to note; this option will allow Google to send you a verification code (classic approach, we agree). Except that the trick is that you don't have to tell him to send it to us by SMS, because obviously, whoever wants to change your password has your phone in his hands!
It is therefore necessary to choose the email. And for the same reason as before, you should not choose an address that is stored on the phone, logical no? So, we advise you to use your address email@example.com. You know, it's the one you use to register on sites when you fear spam.