Resetting a Google password on an Android device is literally child's play

Google and Apple have been facing the ire for accidental payments made by children using their parents’ devices. Lately, Google had fixed the ‘ **30-minute window issue** ’ that led to some accidental purchases, but looks like it now has another problem to tackle. Now, with many people widely accepting modes of mobile payment, security concerns are getting even more serious.   A Reddit user has shared how his Android device’s Google ID password was easily reset, and the ‘hacker’ in question is his son.  The password was reset by a simple process and all it took was access to the phone, reports GSMArena.   Karcirate reveals that his son was playing with the Galaxy S3 and tried to make some in-app purchase in Subway Surfer, but didn’t know the password. However, he could crack the password by following the simple process set out by Google. This means that someone with absolutely no knowledge about using mobile payment accounts can easily breach security and make purchases. This becomes a major security loophole, in case your phone has reached some malicious mind, or an innocent young one at home.   Here’s what the Karcirate writes: “My son was playing on my phone (Galaxy S3). He tried to purchase in app items on Subway Surfer but didn’t know the password. So, he followed the following steps to reset my password from my phone without having to enter any information about the account: Starting from the screen after you click “buy,” 1. Click the question mark next to the password box when asked to confirm password for a purchase. 2. Click “forgot password.” 3. Click “I don’t know.” 4. Leave the selection on the page at “Confirm password reset on my Android Samsung SCH-I535 phone.” 5. Click “Yes” 6. Click “Allow Password Reset. 7. Enter and confirm new Password. And that allowed someone with absolutely no knowledge about my Google account, and access only to my phone, to reset a new password for my entire Google account.” – karcirate (reddit)   At the moment, the only way to fix this is by adding a pass code to your device, but that still doesn’t prevent someone you know and have allowed access to your device from wrecking havoc on your bank account. Google has been under fire for security issues in Android in the past, especially when it comes to in-app purchases, **prompting the company to change the way it displays apps which do have that option.**   In the past we’ve seen Apple was asked to pay at least $32 million to users over kids making unauthorised in-app purchases. It isn’t just Apple, but Google has also been facing similar issues. Earlier this year, Ilana Imber-Gluck, mother of a 5-year old son who made in-app purchases worth $65.95 has sued Google in a northern California court on behalf of herself and several other parents in a similar situation.   [caption id=“attachment_227673” align=“alignnone” width=“640”]  Even a child can break through this[/caption]   We were able to reproduce the loophole on another Android device quite easily, which does mean there’s a big vulnerability that has to be plugged urgently by Google.