||[May. 9th, 2010|11:56 am]
If you use Gmail for anything non-trivial, this may be the time to think again and switch to some other service, since there are indications that Gmail has some kind of bug or backdoor which may allow your account to be hijacked.
Yesterday I went to Gmail to find a message stating that my account had been locked. I had to regain access via a text message to my mobile phone. This was pretty straightforward, by the way, and took less than five minutes.
One I logged in I discovered a large number of spam emails had been sent from my account. Clicking on the link at the very bottom of the page (Last account activity) revealed the following:
Some Googling revealed that this had been reported by quite a few people - a hijacked account accessed via Mobile. I considered the usual ways of gaining access to someone's Gmail:
Phishing: I've never received any such emails, let alone responded to them.
Linked accounts: My Gmail password was unique to Gmail.
Failing to log out: I never use public computers, and Gmail logs out when the browser closes on my own computers.
Keyloggers: Like I said, I never access Gmail on public computers, and have only accessed it from a Mac the last couple of weeks.
Trojan/Virus/Malware: The spam was sent when I wasn't logged in. Also, I regularly scan for malware on my PC (which I use less and less nowadays) and have a fully updated virus scanner.
Password guessing: My password was a fairly random string of letters and numbers. In addition, I deliberately entered a wholly bogus date of birth etc in the personal details to forestall any attempt to nab my password through the password recovery service.
I'm convinced, especially after hearing from two or three friends who it has happened to in the past week, that this is down to flawed code causing an unintentional backdoor in Gmail, especially since all have reported that the hijacking happened via the Mobile interface.
I don't expect Google to admit that there is such a security hole even if it's true, since the last thing they want is a sudden crisis of confidence among their users after all the previous worries about privacy, etc. What they'll do is issue the usual warnings about using good passwords, not leaving yourself logged in, etcetera etcetera, and quietly locate and fix the security hole.
So - be warned.