[Toybox] Gmail being weird again.

Mon Feb 5 16:35:10 PST 2024

On 2024-02-05 12:09:28, Rob Landley wrote:
> I was mostly offline over the weekend, and gmail refused pop3 this morning with
> "web login required", and the https://mail.google.com page prompted me for my
> login/password (I log out when done with the thing I couldn't do without logging
> in) and then it wanted to SMS me with a phone number it guessed was mine even
> though I've never given that account my phone number.
> 
> I refused to confirm or deny its guess (SMS as a single point of failure for
> password resets is CREEPY, as if nobody's ever stolen an account via sim
> spoofing, and broadcasting an attacker-requestable plaintext message to your
> entire city seems sub-optimal at the best of times) and instead clicked the
> "help" option, which wanted me to login _again_ with the "old password" and then
> had more sms options, or I could use the next-of-kin email I gave it in case I
> died. But it was 2am and she was asleep. (And she gets spammed every time I
> login from different machine than last time, and hadn't mentioned anything in
> the household discord channel...)
> 
> So I closed the tab and went to other windows, but next time I passed that
> virtual desktop I clicked "get messages" in thunderbird out of sheer habit...
> and it worked. And I can send too.
> 
> It looks like giving my password to the webpage counts as "web login" that
> unblocked pop3 and smtp access. Only web access has the "additional
> confirmation" gating popups after the fact. (So basically
> https://ohai.social/@dcoderlt/111862395847437251 but professional.)
> 
> Anyway... was there a breach I'm not aware of? This week's seems to be
> https://tech.co/news/google-accounts-hacked-without-passwords but again I don't
> stay logged in when not actively fishing false positives out of the spam filter,
> and I usually "pkill -f renderer" the other tabs before doing that (on general
> principles)...
> 
> *shrug* Weird.
> 
> Rob
> 
> (Yes, gmail unsubscribed Ed Maste of the FreeBSD foundation from this list again
> last week with spam filter delivery refusal, and yes now that linux-kernel moved
> from vger to the new server I'm getting daily "bounce probe" emails due to
> refused email delivery there too, but that's just gmail being gmail...)

I bypassed that whole nonsense by telling gmail to forward all my emails
to an email server I control.  I really only use gmail for ancient people
that have that email address and not much need for me to update them.

Google recently decided that one of my web pages is "deceptive".  They
claim it's trying to trick people into handing over login details for
something else.  It's an account creation page for a virtual world I run
for friends.  It's not only open source, I wrote it and the source code
is available.  The only login details it asks for is the new ones for
your new account.  I sent Google an email about this, no reply.

-- 
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.