In a previous post, we showed you how some email providers can be unsecure. We thought let’s try to prove it with the most popular email provider: gmail.

If, for some reason, you want to access an account from a device that you’ve never used for this, the account’s owner will get a security alert notifying about this, with the source IP and geolocation…You can even find a list of devices who accessed the account.

We thought there must be a way to skip this … we suggest you use your own Gmail account. This is safe and maybe you get a different result than us! 😉

 

1.- Telnet to Gmail server

 

We used a Ubuntu virtual machine, so we first installed telnet with SSL (in this case, SSL is a requirement!):

 

sudo apt-get install telnet-ssl

Then, we can easily telnet the Gmail server by issuing the command:

 

 openssl s_client -connect smtp.gmail.com:465 

or

openssl s_client -connect smtp.gmail.com:465 -crlf -ign_eof

 

2.- “Talking” with the server

 

Once we are logged in, we need to issue the command:

 

</pre>
EHLO localhost
<pre>

 

And we’ll get the following response:

3.- Log in Gmail using Telnet

It’s time to try to log in and see what happens: if we can actually log in and if we’ll receive the security alert. Let’s check!

In order to log in, you need to use the following command

 AUTH LOGIN 

Then, you’ll receive this answer from the server:

 334 VXNlcm5hbWU6 

Now, you can introduce you email username, econded in Base64, so you can use this link. After that, you will receive the following:

334 UGFzc3dvcmQ6 

Next, you enter your password Base64 encoded too and you’ll get a similar reply from the server as the one above.

At this point, maybe you were lucky, but in our case, even crossing the fingers, we got this message:

Please log in via 534-5.7.14 your web browser and then try again.

4.- The Gmail Security alert

And, of course, we received the security alert in our Gmail inbox:

 

As you can see, because we were using a virtual machine, the device wasn’t informed. However, our public IP address and approximate location is provided.

Conclusion

 

We couldn’t skip the Gmail security alter this time but, if you followed this tutorial, we’re very interested in knowing what you got. Of course, if you found a different way to make this possible, we’ll be more than glad to know and maybe we can write a shared post (or public your post directly!). Anyways, we hope you found this little experiment interesting and, from our side, we need to say: congrats Google, you seem to be really robust! 😀