[Toybox] Gmail being weird again.
Rob Landley
rob at landley.net
Mon Feb 5 10:09:28 PST 2024
I was mostly offline over the weekend, and gmail refused pop3 this morning with
"web login required", and the https://mail.google.com page prompted me for my
login/password (I log out when done with the thing I couldn't do without logging
in) and then it wanted to SMS me with a phone number it guessed was mine even
though I've never given that account my phone number.
I refused to confirm or deny its guess (SMS as a single point of failure for
password resets is CREEPY, as if nobody's ever stolen an account via sim
spoofing, and broadcasting an attacker-requestable plaintext message to your
entire city seems sub-optimal at the best of times) and instead clicked the
"help" option, which wanted me to login _again_ with the "old password" and then
had more sms options, or I could use the next-of-kin email I gave it in case I
died. But it was 2am and she was asleep. (And she gets spammed every time I
login from different machine than last time, and hadn't mentioned anything in
the household discord channel...)
So I closed the tab and went to other windows, but next time I passed that
virtual desktop I clicked "get messages" in thunderbird out of sheer habit...
and it worked. And I can send too.
It looks like giving my password to the webpage counts as "web login" that
unblocked pop3 and smtp access. Only web access has the "additional
confirmation" gating popups after the fact. (So basically
https://ohai.social/@dcoderlt/111862395847437251 but professional.)
Anyway... was there a breach I'm not aware of? This week's seems to be
https://tech.co/news/google-accounts-hacked-without-passwords but again I don't
stay logged in when not actively fishing false positives out of the spam filter,
and I usually "pkill -f renderer" the other tabs before doing that (on general
principles)...
*shrug* Weird.
Rob
(Yes, gmail unsubscribed Ed Maste of the FreeBSD foundation from this list again
last week with spam filter delivery refusal, and yes now that linux-kernel moved
from vger to the new server I'm getting daily "bounce probe" emails due to
refused email delivery there too, but that's just gmail being gmail...)
More information about the Toybox
mailing list