
Ask HN: Google Gmail as a recovery address, function or security hole? - hbarka
Why does Google allow anyone to use your gmail address as their recovery email without requiring confirmation of any kind? If you google for any help on this issue, you&#x27;ll get forum posts excusing that it&#x27;s harmless and you can simply &quot;disavow&quot;, says the email alert you get when someone enters your email address for their recovery, that somehow it&#x27;s their mistake and isn&#x27;t a security issue. That&#x27;s not really a good answer. I&#x27;ve been getting this &quot;attack&quot; repeatedly and I&#x27;m inclined to think that it&#x27;s a vector which is being probed for social hacking. Google should not allow this practice and they can fix it easily by putting a confirm hold before letting anyone use anybody else&#x27;s email randomly as a recovery address.
======
086421357909764
How does it make you a greater risk? Is it possible you have an email address
similar to someone else's? I receive emails obviously targeted at a different
person, but because our addresses are so similar It's a common occurrence.

Unless you're speaking of a spear phish trying to lure you into clicking a
link, it's just harmless spam. Hell the same could be said if I signed your
email up for dirty porn emails, you'd just delete or ignore.

~~~
hbarka
It's an easy vector for spear phishing because it contains an official click-
through button for disavowing. Very easy to manipulate and do the podesta
trick with it. Saying it's harmless isn't actually true and also isn't a good
answer.

~~~
086421357909764
Right but the matter stands as this, if you weren't expecting it and it's not
relevant to you, it's likely spam, so get rid of it.

~~~
hbarka
It's not the same class as spam, as you're insisting. Merely deleting the
email doesn't "get rid of it". Now there's a hard association between you and
the other party and can be social hacked as a recovery email. It's bad
practice on Gmail's part to create an official function which commits without
authorization or authentication.

