from Hacker News

I stole the data in millions of people’s Google accounts

by fgblanch on 1/13/21, 8:55 AM with 46 comments

  • by ghusbands on 1/13/21, 10:04 AM

    Can the title be altered to contain the truth? (That this is a hypothetical scenario, and no data has been stolen.) The article is a bait and switch but that doesn't mean HN should do the same. Changing "stole" to "could steal" would work.

  • by wheresvic4 on 1/13/21, 10:25 AM

    I think that these days it is safe to assume that one could always be locked out of their google account for whatever reason. It is best practice to simply create a local account with whatever app/service that one wants to use.

    I personally use an email with a custom domain which I pay for so I am relatively secure of keeping access to my email address. Moreover, I use a local password manager to store all my passwords. This setup is a bit of a pain but it is also liberating as I am not at the mercy of any third party when I am transacting with a service.

  • by kwijibob on 1/13/21, 9:42 AM

    And sometimes they ask for "Sign in with Google", you say yes, and then they still try to make you create a unique password.

  • by ffpip on 1/13/21, 10:30 AM

    This was flagged for clickbait a day ago

    https://news.ycombinator.com/item?id=25717156

    It's the exact same article by the same author.

  • by petargyurov on 1/13/21, 10:39 AM

    I don't get this:

    > Nothing I did would technically be considered an ‘exploit’

    Erm, yes it can? It's exploiting a glaring vulnerability in Google's auth flow, or at the very least a dodgy way to expose master tokens.

  • by matsemann on 1/13/21, 10:40 AM

    I'm always suspicious when I click "Sign in with X" and it prompts me to enter details. Normally I would already by logged in. But not always, for instance I mostly use Firefox on my phone, and those sessions aren't shared with webviews. So one can never know.

    There's really nothing stopping anyone from making an entirely fake "Sign in with X" popup and people would believe it (me included), I think teaching people to give away their Google, FB, GH etc credentials on random pages is scary.

  • by jojobas on 1/13/21, 9:33 AM

    "Sign in to X with Y" is a terrible idea all around. Even if X does not get access your Y account, Y definitely has access to your account in X.

  • by barrkel on 1/13/21, 10:53 AM

    It's amusing to see a (valid, IMO) security issue with Google being continuously flagged as clickbait because of how the article is written.

  • by cr3ative on 1/13/21, 10:50 AM

    So weaponise it and get your money from the bug bounty programme. Put up or shut up. ;)

  • by selckin on 1/13/21, 9:55 AM

    what a world, where you can proudly announce you tricked million of people into sharing their private information without any consequences

    EDIT: i should believe where he said he didn't do it, not whee he said he did it