[superasn]

Even though the post is a bit clickbaity there is still one thing I learned from it and if somebody cyber security expert can confirm this:

- there exists a powerful token (like a master key) using which a person can read all my emails, drive, etc bypassing the email alert and unknown device check?

[judge2020]

If you mean the one that's used on your phone to access everything, yes, although it doesn't bypass the email alert (the linked clickbait goes into how they have to click "allow device" on their already-signed-in phone). When you log into either the Google.com website or into an Android device your token needs permission to do everything you'd expect to do as a user - gmail, drive, etc. This attack is basically a browser MITM which captures that token and (theoretically) ships it off to a server for malicious usage/storage.

Or, if you mean "can Google employees read my email", then they can since almost no Google service is end-to-end encrypted (although you can e2ee Chrome sync[0]). Gmail, Drive, and Docs are completely unencrypted unless you use encryption on top of it (like with rclone[1] or cryptomator[2]).

0: https://support.google.com/chrome/answer/165139?co=GENIE.Pla....

1: https://www.section.io/engineering-education/encrypting-gdri...

2: https://cryptomator.org/

[ethanblake4]

I only had to click 'allow device' because I had 2FA enabled on that account. For anyone who doesn't, that step is not required.