RSS/Milan LajtošGitHub/Milan LajtošYouTube/Milan LajtošBuyMeACoffee/Milan Lajtoš

Recovering My Mom's Gmail Password

As the only person with Computer Science degree in my family, my life is centered around fixing other people's computers, and remembering their passwords. A pure delight... But once in a while there comes a real challenge that makes my brain tick, and this time it really was pure delight.

How Problems Began

My mom was using her original iPad Air from 2014 until now. Thankfully, iPadOS for it still gets security updates (12.5.1 released on 11 Jan 2021, latest is 14.4.1) which is beyond awesome, but it felt kinda sluggish in few scenarios. Not to my mom however. I foolishly decided to go against the first principle of tech support – do not fix what is not broken – and ordered a brand new Rose Gold iPad Air 2020 which sports badass iPad Pro design. Throw in some Pink Citrus Smart Folio, second gen Apple Pencil, and of course Smart Keyboard, just for fun.

Transfering from an old Apple device to new one is always a breeze – migration assistant does the heavy lifting and it all just works. When the device was ready, I checked if everything was working properly – I started with the Apple Mail. It couldn't download new messages because it needed to log into the Gmail account. As I mentioned, there is a part of my brain that is dedicated to storing other people's passwords, so I just remembered the password and typed it in. Tap login button and voilà, we're in…whoa, nope. Incorrect password. Oh, shit.

The Standard Password Recovery

After few unsuccesful attempts, I got a feeling that this is a really bad situation. Gmail's recovery password procedure usualy solves this quite easily, but I knew my situation was different.

The first thing one should read before any recovery attempts is page titled Tips to complete account recovery steps. This guide helps you understand how the recovery procedure works and what you can do to tip the scales of destiny in your favour. I grabbed the old iPad, connected to usual wifi, opened Safari and went with the flow. It asked me to type the last password I knew. Done. Then it asked me a security question which read "asdf". How thoughtful of my past self. But I knew this one, so I typed an answer in. Then it asked me to enter an email connected to the account where Google can contact me. Well, in a normal scenario I would type in my mom's work email, but on 1 Jan 2021 it has been shutdown after 2 decades by the ISP. Lucky us.

I typed in my personal email address with small hope that Gmail's machine learning algorithms will evaluate it as a safe one. I got an email with code that I should retype into the form. I did and tapped the button. Gmail politely told me to fuck off.

Hacking the Standard Password Recovery

If this would happen with a normal company, I would pick up the phone and call support. In case of Google, you are out of luck:

For your security, you can't call Google for help to sign into your account. We don’t work with any service that claims to provide account or password support. Do not give out your passwords or verification codes.

The situation looked extra bleak, but I thought I had it figured out. I still had access to the inbox on the old iPad and what is a more direct proof of identity than that? So I used my mom's email as the contact email in the recovery form. Gmail, without even trying to send the code, told me that the email was wrong. The air that was forcibly blew out through my nostrils was followed by a long string of profanities in my native language.

The last ace I had in my sleeve was the email + sign trick, where email send to hello+foo@example.com will get delivered to hello@example.com. Entering the altered email worked and I received the code. However after entering it, Gmail extended its hand towards my face and curled all its fingers except the middle one.

The game is on, motherfucker.

Thinking Outside the Box

Clearly, fighting against Google on their terms isn't a fair game. I had to change the rules. Instead of getting into the Google account, I needed to get out the account credentials from the old iPad. The Mail client could connect to Gmail and download new messages, so the password had to be somewhere. Obviously it wasn't in the Keychain, otherwise we wouldn't be here.

I have a friend, Miro Beka, who likes to challenge everyday security measures. Nothing professional, just a hobby, but I learned a ton from him. For example, mechanical lock picking, WPS PIN vulnerability, WEP IVs attack vector, cloning MIFARE Classic cards, and other fun stuff. Knowing about these things makes you realize that every system can be cracked. Scary and liberating at he same time.

Back to the question – how to get the damn password out of the old iPad? What would Miro do? I happend to find myself in a classic rubber duck debugging session. The answer came quickly and was kinda obvious – camouflage my MacBook as the Gmail server, and let iPad send me the password. Googling "man in the middle imap" quickly got me to https://github.com/mrexodia/haxxmap where the holy grail was waiting.

Certified Victory

The guide uses self-signed certificate for proxy IMAP server, however I couldn't get iPad to trust it no matter what I tried. Instead, I created root certificate and a dedicated certificate for the proxy. iPad asked me if to trust them and I said "sure", **wink**.

Last steps and we are there: start DNS server, point iPad at it, and start the IMAP proxy. All set. Ready. Go. Pull to refresh in Mail app. And the password is...

Cannot verify server identity imap.gmail.com

I tried at least eleven times just to be sure. Thankfully, people on the internet have seen this error message in the wild (which is suspicious) and found a solution! Simply remove the email account and add it back… Thanks, but that defeats the whole purpose, doesn't it?

I took a step back and thought why that solution works in the first place. I can't just look at the source code, so I had to use my brain again, ugh. It seemed that it was comparing my fake cert to the cached cert. If removing and adding an account can fix this error, then caching must happen right at the moment of the first login. So what if I just add another Gmail account? Yup, that worked and the 3D cube appeared.