Hacking Google Gmail accounts exploiting password reset system flaw

Pierluigi Paganini November 23, 2013

Security researcher Oren Hafif demonstrated how to hack a Google Gmail account exploiting a serious flaw in the password reset process.

A serious vulnerability in the password reset process of Google account allows an attacker to hijack any account, this is the sensational discovery made by security researchers Oren Hafif.
that password recovery is often in the center of attention for attackers – and for security professionals.” reported Oren.
Oren demonstrated the feasibility of a common spear-phishing attack relying on a number of flaws including Cross-site request forgery (CSRF) and cross-site scripting (XSS). An attacker sends to the targeted account a fake “Confirm account ownership” email, claiming to come from Google.
Following the canonic scheme of attack the link embedded in the fake e-mail asks the recipient to confirm for the ownership of the account and requests victim to change the password.
The link in the email points to an HTTPS google.com URL, but exploiting a CSRF attack with a customized email address it leads the victim to a website controlled by attackers.

” The link should actually refer to an attacker’s site (and it does):

http://www.orenh.com/test.html#[email protected]” The attacker’s site performs a CSRF with the customized email address, and once completed – launches the XSS exploit. The code might look like this:” said Oren.
Google mail attack code
the code above, reads a Hash parameter (“Email”) for the victim’s email. It creates an invisible image and puts an “initialize password recovery” link as its source.After the request is processed, an Error event is thrown (since this is not really an image).”
The Google HTTPS page will ask the victim to confirm the ownership by entering his last password and then will ask to reset his password.

Hacking Google Gmail account

Hacking Google Gmail account 2

Hacking Gmail account email link

At this point the hacker has grabbed victim new password and cookie information with an XSS attack.

“The onError handler now redirects to the XSS’d URL, The user clicks “Reset Password”… and from here the sky is the limit.”

Google Gmail xss attack

The researcher published a proof of concept video to demonstrate the attack:

Hafif reported the flaw to the Google Security department and Google has promptly fixed the issues assigning a reward of $5,100 under their Bug Bounty Program.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Google mail, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment