As a well know fact Google loves to conduct Google’s Vulnerability Reward program where white hat hackers and security researchers are given an opportunity to prove their skills and capabilities by participating in it.
A new vulnerability in Gmail’s verification process has been discovered by a Pakistani student (a white hat hacker) that allowed hackers to take over Gmail accounts. They later reported it and for this act they were awarded $20,000 by Google.
Ahmed Mehtab, a student from Pakistan and the CEO of Security Fuss, identified an inherent flaw in the verification bypass method adopted by Google for switching and linking email addresses. He discovered that the email addresses became vulnerable to hijacking when one of the following conditions occurs:
- When the SMTP of the recipient is offline
- The email has been deactivated by the recipient
- Recipient doesn’t exist or invalid email ID
- The recipient does exist but has blocked the sender
The above video shows how the attack is conducted. Initially the attacker tries to verify the ownership status of an email address by emailing Google. In return Google sends an email to that address for verification. The email address cannot receive the email and hence, Google’s mail is sent back to the actual sender and this time it contains the verification code. This verification code will be used by the hacker and the ownership to that particular address will be confirmed.