A reddit user has posted a story of his son resetting the password of his Google account for buying an app from the Play store. For his son, the process of resetting the password went real smooth. He didn’t had to enter even a single bit of account info to reset the password. Check the quoted post from reddit below:
I just discovered what seems to me a massive security loophole. Please someone tell me if the following makes any sense.
My son was playing on my phone (Galaxy S3). He tried to purchase in app items on Subway Surfer but didn’t know the password. So, he followed the following steps to reset my password from my phone without having to enter any information about the account:
Starting from the screen after you click “buy,”
- Click the question mark next to the password box when asked to confirm password for a purchase.
- Click “forgot password.”
- Click “I don’t know.”
- Leave the selection on the page at “Confirm password reset on my Android Samsung SCH-I535 phone.”
- Click “Yes”
- Click “Allow Password Reset.
- Enter and confirm new Password.
And that allowed someone with absolutely no knowledge about my Google account, and access only to my phone, to reset a new password for my entire Google account.
— karcirate (reddit)
It isn’t a newly found bug or anything such, it was always possible. But thanks to this post on reddit that more people are going to be aware of this now. However, there’s isn’t much you could do to avoid a situation like this. Keep your phone safe and give it only to the people who you trust.