Hacking Google Gmail accounts exploiting password reset system flaw

9:30 ET, 25 November 2013

Security researcher Oren Hafif demonstrated how to hack a Google Gmail account exploiting a serious flaw in the password reset process.

A serious vulnerability in the password reset process of Google account allows an attacker to hijack any account, this is the sensational discovery made by security researchers Oren Hafif.

“that password recovery is often in the center of attention for attackers – and for security professionals.” reported Oren.

Oren demonstrated the feasibility of a common spear-phishing attack relying on a number of flaws including Cross-site request forgery (CSRF) and cross-site scripting (XSS). An attacker sends to the targeted account a fake “Confirm account ownership” email, claiming to come from Google.

Following the canonic scheme of attack the link embedded in the fake e-mail asks the recipient to confirm for the ownership of the account and requests victim to change the password.

The link in the email points to an HTTPS google.com URL, but exploiting a CSRF attack with a customized email address it leads the victim to a website controlled by attackers.

” The link should actually refer to an attacker’s site (and it does):

http://www.orenh.com/test.html#Email=hatechnion@gmail.com” The attacker’s site performs a CSRF with the customized email address, and once completed – launches the XSS exploit. The code might look like this:” said Oren.

g1

“the code above, reads a Hash parameter (“Email”) for the victim’s email. It creates an invisible image and puts an “initialize password recovery” link as its source.After the request is processed, an Error event is thrown (since this is not really an image).”

The Google HTTPS page will ask the victim to confirm the ownership by entering his last password and then will ask to reset his password.

 g2g3 g4

At this point the hacker has grabbed victim new password and cookie information with an XSS attack.

“The onError handler now redirects to the XSS’d URL, The user clicks “Reset Password”… and from here the sky is the limit.”

g5

The researcher published a proof of concept video to demonstrate the attack:

http://www.youtube.com/watch?feature=player_embedded&v=zJFuSPywWM8

Hafif reported the flaw to the Google Security department and Google has promptly fixed the issues assigning a reward of $5,100 under their Bug Bounty Program.

Pierluigi Paganini    

(Security Affairs – Google mail, hacking)
rsa-logo

 

 

 

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X