A recent set of Google patches included a fix for a serious Gmail account recovery vulnerability, the details of which have been disclosed.
Researcher Oren Hafifi of Israel points out in his disclosure that unlocking a Google password opens the door to much more than email, elevating the risk.
“Did you ever stop and ask what does GMAIL stand for? It’s the Global Main Authentication and Identification Library. Seriously, if someone got access to your Gmail account, he can ‘password recover’ his way to any other web/mobile application out there,” Hafifi wrote on his blog.
Hafifi combined cross-site scripting, cross-site request forgery, and password flow bypass to pull off this hack.
The attack starts with a spoofed Google phishing email sent to a Gmail user. Hafifi explains the gory details in his blog about the ins and outs of why his attack works, but essentially the phishing email must be customized with the victim’s email address in the URL.
The link, however, should refer to the attacker’s site where a cross-site request forgery (CSRF) is requested. Next a cross-site scripting attack launches and the user is presented with a phony password reset option.
“The user clicks ‘Reset Password’ and from here, the sky is the limit,” Hafifi wrote.
Once the user tries to reset their password and recover their account, the attacker is in the background receiving the new password and cookie information.
Hafifi said Google patched the vulnerability within 10 days and he is in line to receive a bug bounty and another Hall of Fame recognition from Google.