Is Accounts.Google.com Safe?

Accounts.google.com is the URL for created a Google account. The Google account means you can browse with the google.com search engine without being tracked by any tracking cookies and websites that may have otherwise given up some information such as your general computer dimensions, general location of the nearest mobile tower, et cetera.

Once you have created a Google account, you can sign in and persoanlize settings and manage your information and privacy to “make Google work better for you” according to Google. A Google account also allows you to sync browsers between devices which is a modern feature many Googlers appreciate.

Website: https://myaccount.google.com/

Is Accounts.Google.com Safe?

I conducted a series of malware tests to find out if accounts.google.com is safe and legit. Here are the results:

I installed the Malwarebytes Browser Guard on my Edge browser and was able to browse the site accounts.google.com without any issues.

To check this further I ran malware scans with Malwarebytes and Spybot on my computer after browsing the site accounts.google.com and they returned no malware detection. I also ran a system-wide scan with Microsoft Defender and no malware was found.

To try to confirm that the site is clean, I also checked the site accounts.google.com on the online malware scanner Sucuri and it returned with no major issues. You can see the same here: https://sitecheck.sucuri.net/results/accounts.google.com

Accounts.Google.com Sucuri results

Sucuri says there was a 404 Not Found site issue for the following URL:

https://accounts.google.com/signin/usernamerecovery?continue=https://accounts.google.com/&ifkv=AWnogHcP-1ilUR1iTryMay6-cqaKnstOmrWSG3PKhYVh_gPY4_69jw3dM1QnofGaorhViA73Mj3C&hl=en

This meant Sucuri wasn’t able to scan that URL. However, I can see that that is just a sign-in page which is a common problem. Sucuri was able to scan the rest of the site accounts.google.com without any issues and concluded that it was a low security risk.

Some hardening improvements could be made such as solving the missing security headers listed below:

Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors ‘none’. Affected pages:
https://accounts.google.com/404testpage4525d2fdc
https://accounts.google.com/signin/v2/’ _.C(_.Uv(h).replace(/;/g,
https://policies.google.com/privacy?gl=US&hl=en
https://policies.google.com/terms?gl=US&hl=en

Missing Strict-Transport-Security security header. Affected pages:
https://accounts.google.com/404javascript.js
https://accounts.google.com/404testpage4525d2fdc
https://accounts.google.com/signin/v2/’ _.C(_.Uv(h).replace(/;/g,
https://policies.google.com/privacy?gl=US&hl=en
https://policies.google.com/terms?gl=US&hl=en

Missing Content-Security-Policy directive. We recommend to add the following CSP directives (you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src. Affected pages:
https://accounts.google.com/404testpage4525d2fdc
https://accounts.google.com/signin/v2/’ _.C(_.Uv(h).replace(/;/g,
https://accounts.google.com/signup/v2/nojs?continue=https://accounts.google.com/
https://policies.google.com/privacy?gl=US&hl=en
https://policies.google.com/terms?gl=US&hl=en

The ‘unsafe-eval’ keyword in Content-Security-Policy is not recommended. Please consider fixing the JavaScript code.

On a positive note, there is a website firewall already installed and no security vendors associated with Sucuri have blacklisted the domain, meaning they don’t consider the site accounts.google.com to be malicious.

Lastly, I ran a malware scan with VirusTotal on the domain accounts.google.com and one security vendor has flagged the domain as malicious. You can see the same here: https://www.virustotal.com/gui/domain/accounts.google.com

Accounts.Google.com VirusTotal results

1 security vendor out of 88 isn’t a bad result and suggests that the 1 security vendor that has flagged it as malicious is probably sensing a false positive rather than the site being malicious.

In conclusion, the site accounts.google.com is a low security risk and doesn’t have malware according to Sucuri. One security vendor out of all the vendors associated with Sucuri and VirusTotal has flagged the domain as malicious which likely suggests it is a false positive. Given all the information we have, the site accounts.google.com is likely safe.