When I got back from vacation, one of the many emails I had to go through was a Godaddy one saying that my password had been reset. I thought nothing of it, and clicked the spam button in gmail – thinking it was a phishing attack.
Today, that email suddenly jumped back into my head as I was about to register some new domain names and couldn’t login to GoDaddy.
A quick call to friends at GoDaddy revealed that somebody had guessed my Google account password, and used my Gmail to reset my GoDaddy account. Thankfully, I caught it before they had changed any DNS settings, registered, or transferred any domains.
I also managed to change my Google account password to something even harder to guess. (I’m actually shocked that somebody had guessed a 7 letter non dictionary word in the first place – if that’s how they got it.)
I’ve read about other techniques that involve including parts of a different domain onto your webpage, then using javascript to read what the browser auto-fills in the form. This can all be done in a 1px iframe apparantley – maybe that’s how it was done. I’m not sure.
Anyway, it’s scary just how much your Google account actually has access to. I’m lucky I caught it in time.
Hey Jones, maybe they didn’t guess your gmail password… is it possible the just keyed in your account number on GoDaddy.. and selected forgot password and changed it just to be jerks 😉
It’s kind of funny that on so many sites you can just put in a username of someones that you know because most usernames are public on the forum or whatever, and reset their password. Sure it only annoys them, and requires them then to go reset it or check their email but still its a funny little DOS. Just like trying to connect to a terminal server with someones account name you know and lock it out. Lots of ways to just be a jerk.
Comment by Ryan Doom — February 2, 2008 @ 8:32 pm