How I “hacked” a Gmail account.

I have never considered myself as either a hacker or security expert, however, I managed to get into a Gmail that wasn’t mine. It all started because I was looking for a way to send emails using python.

A quick Google search brought me to this solution on Stack Overflow. As I do with most of the solutions that I find, I went ahead and searched for parts of the code on Github to see how others were doing it (Always good to follow best practices).

To my surprise, tons of developers have been very careless with their Gmail passwords by pushing it to public repos on Github. I decided to take one of the email/passwords that I found for a spin to see what happens. After my first attempt, Google asked me to provide them with my phone number so that they could send me a security code to log in.

Viola! We are in…

However, it did look like this was just a dummy account created by the user for sending test emails from their python program. Regardless of what it is, NEVER COMMIT YOUR PASSWORD on a public repo. Consider using an ENV variable instead.