TL;DR:
Having access to an unlocked phone (weak pin or with pattern attack...smudge attack) an attacker can reset your Google account if this account does not have 2-Step authentication.
This is a security bug in the way the Android devices allow to reset a Google Account password.
I've reported this to the google security team, but they say that this is not a security bug.
From my perspective this IS a vulnerability, so after talking several times with the triage at security@google.com I've decided to publish this.
I've made a video to show the vulnerability, the video shows the following steps to steal the account:
Video: https://www.youtube.com/watch?v=zstbkS9yrv4
Just for PoC
- clear the Chrome cache, to make sure user is not logged in (just for PoC)
- open YouTube app, to show that the user is not logged in
Attacker Steps:
- attacker opens play store to check the user of the phone
- attacker opens the browser with the URL to accounts.google.com to login with the play store account
- enter the email on the form "One account. All of Google" -> click next
- on the password form -> click "forgot password"
- on the form "Enter the last password..." -> click "try a different question"
- on the next form -> click "Send prompt"
- on the prompt "Trying to sign in" -> click "Yes"
- after this the mobile will show "Sign-in approved"
- then it allows to change the users' password without the need for anything else
- create a new password
- click -> "change password"
- Done.
After this it's possible to navigate on all Google services with this new password.
The attacker at this time has access to all the user information related to the Google accounts.
From my perspective a full Google account take over is a big thing, these days people have everything in Google.
Now, what can be done in this case? How can i protect myself?
One extra step in securing your Google account is having the 2-Step authentication configured.
And this is what i encourage all people to do.
While talking to some of my colleagues, one reminded me of an option (thanks @clviper) that if a user has his phone stolen he can activate in the Android Device Manager the option to "Erase".
Link to the Android Device Manager:
https://www.google.com/android/devicemanager
This should be configured to "On":
Although this is not the solution to the problem this can protect your data, because when the attacker connects the phone to a network the phone should be erased.