Shady Google Account recovery attempt by possibly Smartthings Indian Developers

It has been a while since I logged onto the Smartthings IDE Site. I was having some trouble using my Samsung account (even though I have a legit Samsung account). So I decided to click on the Google link at the bottom and it linked to my Google account. It logged me in and I was able to access everything.

https://graph-na02-useast1.api.smartthings.com/

A few minutes later, I got a notification on my phone asking to confirm if it’s me trying to recover my Google account, and the location was somewhere in India… Of course I blocked that attempt.

Very shady. Are the Smartthings developers in India trying to hack into users Google accounts? This is very disturbing and I want to share that here. Makes you wonder what else they’re doing with your IoT devices, cameras, etc.

Hmmmm…

There’s no “sign in with google account” on the legit site, which you should always go to by using

https://account.smartthings.com

It sounds like you may have mistyped the URL and gone to a Phishing site by mistake. :disappointed_relieved:

Here’s what the real screens look like. No Google link.

2 Likes

There is no Google link at any SmartThings or Samsung operated website.

You either went to the wrong website, or were being asked to login to Chrome (to sync your browser settings), or being asked to login by some legitimate or illegitimate browser extension.

Be sure to run a virus scan.

2 Likes

I think what he meat by google link is when you login in with the Samsung account, there is an option to sync in with the gmail account instead of typing username/password. That’s how i do it all the time, and my understanding of OP’s “google link”. I’m sure he will be able to shed some light.
On another note, i reached out to smartthing support and the person who i am dealing with seems to be located in India, and been very helpful.

Hmm that’s scary about a phishing site. That explains why despite typing in my Samsung credentials (happens to be a gmail account) many times it still said my password was incorrect. Then there was that mysterious “Log in with Google” link at the bottom. I clicked on it, typed in my Google password and it worked.

Worst case is they captured my Samsung account password, or even my Gmail password. Luckily I can still log into both. I’m going to change those passwords just in case.

1 Like

Really? I’ve never seen this option for Samsung / SmartThings! Perhaps my ad blocker hides it. … No; I think I have ad blocking disabled for Samsung. So … that’s strange. I wonder who is given the option and who is not. Either that, or it is not really a Google login and it’s an extension hack?

Using confederated logins is convenient, but has certain risks. If you check the URL of the login flow to be sure it really is going to Google, then there is no risk of leaking your password.

However, if your Google password does get compromised somewhere, then all of the sites where you use Google for login might be accessible.

I don’t think it’s necessary to panic or be paranoid here: Google Login as an option is quite prevalent, but I’m still confused. Are you sure it’s not just login for the Community?

Google account is an option for login at account.samsung.com, not account.smartthings.com:

2 Likes

I managed to see the sign in with Google.

On the account.smartthings.com page, if I selected Samsung account, I didn’t see the Google login.

If I selected the Smartthings login, and then selected the the sign in with Samsung account on this page, I see the Google login.

It appears there are a couple different Samsung sign in pages. I’m on my mobile so I didn’t look at the URL’s to see what the difference is.

1 Like

Well that’s just crazy.

Obviously there’s be an oversight here. :confused: