I Stole Your Gmail Password

8th of January, 2018

Okay okay, I didn’t, but someone else could. This article is designed to show how easy phishing is. I built a simple form on Glitch to collect a classmates password. We will call her P. P bet me I would not be able to crack her password.

How did I do it?

If you just want the code hop over to Glitch. Please note this code is for educational purposes only.

I started off with building the form. The form is designed to look identical to a google login form.

login form

Set the query parameter email eqaul to a users email. For example:

google-phishing.glitch.me/?email=admin1@gmail.com

Some Javascript handles the post request to the Node server.

Navigate to https://google-phishing.glitch.me/get_log to see the collected passwords.

Why do people fall for this? Most of us see the Google logo and feel safe. A domain like accounts-google-sign-in-appspot-com.glitch.me/… at a glace looks official. Naturally, we want to login to access our data.

This article is to serve as a public service announcement. Please keep your passwords safe.