In a previous post, we showed you how some email providers can be unsecure. We thought let’s try to prove it with the most popular email provider: gmail.
If, for some reason, you want to access an account from a device that you’ve never used for this, the account’s owner will get a security alert notifying about this, with the source IP and geolocation…You can even find a list of devices who accessed the account.
We thought there must be a way to skip this … we suggest you use your own Gmail account. This is safe and maybe you get a different result than us! 😉
1.- Telnet to Gmail server
We used a Ubuntu virtual machine, so we first installed telnet with SSL (in this case, SSL is a requirement!):
sudo apt-get install telnet-ssl
Then, we can easily telnet the Gmail server by issuing the command:
openssl s_client -connect smtp.gmail.com:465
openssl s_client -connect smtp.gmail.com:465 -crlf -ign_eof
2.- “Talking” with the server
Once we are logged in, we need to issue the command:
And we’ll get the following response:
3.- Log in Gmail using Telnet
It’s time to try to log in and see what happens: if we can actually log in and if we’ll receive the security alert. Let’s check!
In order to log in, you need to use the following command
Then, you’ll receive this answer from the server:
Now, you can introduce you email username, econded in Base64, so you can use this link. After that, you will receive the following:
Next, you enter your password Base64 encoded too and you’ll get a similar reply from the server as the one above.
At this point, maybe you were lucky, but in our case, even crossing the fingers, we got this message:
Please log in via 534-5.7.14 your web browser and then try again.
4.- The Gmail Security alert
And, of course, we received the security alert in our Gmail inbox:
As you can see, because we were using a virtual machine, the device wasn’t informed. However, our public IP address and approximate location is provided.
We couldn’t skip the Gmail security alter this time but, if you followed this tutorial, we’re very interested in knowing what you got. Of course, if you found a different way to make this possible, we’ll be more than glad to know and maybe we can write a shared post (or public your post directly!). Anyways, we hope you found this little experiment interesting and, from our side, we need to say: congrats Google, you seem to be really robust! 😀