Hacking Google Gmail accounts exploiting password reset system flaw

9:30 ET, 25 November 2013

Security researcher Oren Hafif demonstrated how to hack a Google Gmail account exploiting a serious flaw in the password reset process.

A serious vulnerability in the password reset process of Google account allows an attacker to hijack any account, this is the sensational discovery made by security researchers Oren Hafif.

“that password recovery is often in the center of attention for attackers – and for security professionals.” reported Oren.

Oren demonstrated the feasibility of a common spear-phishing attack relying on a number of flaws including Cross-site request forgery (CSRF) and cross-site scripting (XSS). An attacker sends to the targeted account a fake “Confirm account ownership” email, claiming to come from Google.

Following the canonic scheme of attack the link embedded in the fake e-mail asks the recipient to confirm for the ownership of the account and requests victim to change the password.

The link in the email points to an HTTPS google.com URL, but exploiting a CSRF attack with a customized email address it leads the victim to a website controlled by attackers.

” The link should actually refer to an attacker’s site (and it does):

http://www.orenh.com/test.html#[email protected]” The attacker’s site performs a CSRF with the customized email address, and once completed – launches the XSS exploit. The code might look like this:” said Oren.

g1

“the code above, reads a Hash parameter (“Email”) for the victim’s email. It creates an invisible image and puts an “initialize password recovery” link as its source.After the request is processed, an Error event is thrown (since this is not really an image).”

The Google HTTPS page will ask the victim to confirm the ownership by entering his last password and then will ask to reset his password.

 g2g3 g4

At this point the hacker has grabbed victim new password and cookie information with an XSS attack.

“The onError handler now redirects to the XSS’d URL, The user clicks “Reset Password”… and from here the sky is the limit.”

g5

The researcher published a proof of concept video to demonstrate the attack:

http://www.youtube.com/watch?feature=player_embedded&v=zJFuSPywWM8

Hafif reported the flaw to the Google Security department and Google has promptly fixed the issues assigning a reward of $5,100 under their Bug Bounty Program.

Pierluigi Paganini    

(Security Affairs – Google mail, hacking)
rsa-logo

 

 

 

Subscribe to Cyber Defense Magazine

Join our mailing list, no strings attached. We never sell your data. We'll send you monthly e-magazines, webinar invites from us and our partners, cybersecurity trade show updates, awards, infosec news, cybersecurity tips and so much more on all things cyber defense.
Subscribe

Related News

The Password Is Dying. It’s Time for A DNR.
November 25, 2013

CyberDefenseMagazine Follow 24,016 54,487

Cyber Defense Magazine - The Premier Source for IT Security and Compliance Information. https://t.co/748STKH6k0.

cyberdefensemag

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

Show Me!
X