Google Family Link Exploit Enables Account Lockout and Surveillance

Google Family Link, Google's child safety feature, can be leveraged by an attacker to lock you out of your Google account and surveil and control your activity.

A software engineer that goes by the online handle Techwolf12 discovered the vulnerability when it was used against one of their friends.

Family Link is designed to help parents manage their children's accounts and devices. As such, anyone with a "child" account has very little ability to manage their own security settings.

You won't be allowed to go through the standard Google account recovery process. There's reportedly no known automated way to get access to your account again.

The only way users have found to recover your Google account after the attack occurs is to tweet at TeamYoutube on X hoping they will manually help you get your account back.

You can also pay for a Google One subscription for the ability to talk to a real human support agent (free accounts don't get live support). They won't be able to do anything but they can escalate to someone who can.

Techwolf says 2FA won't protect you against the attack, since cookie-stealing malware bypasses it entirely and changing the age on your Google account and enrolling in Family Link doesn't require 2FA.

Enabling Advanced Protection on your Google account is an effective mitigation, however, since you won't be able to be added to a Family Link group.

Once an attacker has your account locked down, they have full visibility into your digital life.

They can track your real-time location via Google Maps, lock your Android device whenever they want, see your screen time and intercept app downloads, and read your incoming emails, including password reset emails.

The attack works by first gaining access to your password via a data breach, phishing, or any number of methods. Then, the attacker changes your birth year to be under 13, then linking your account to a "parent" Google account (controlled by them).

The attacker now has full authority over your account.

This exploit shows how forced "child safety" features can easily backfire. Strangely enough, Google has bragged about its digital ID technology but provides no way to prove your age using it.

Also alarming is the fact that they are aware of this exploit since multiple users have had to have Google's support staff recover their account for them, but it still stands.

For now, anyone with a Google account should lock it down as much as possible and be very vigilant.