Google patched a hole in its Gmail verification system last week that allowed an attacker to hijack a targeted Google Gmail account.
The discovery was made by Ahmed Mehtab, a security researcher and founder of Security Fuse. The hack is simple to execute and requires less than dozen steps to pull off.
The hack exploits an authentication or verification bypass vulnerability in a Gmail feature that allows you to send email from a second Gmail account. Mehtab said the attack is “similar to account takeover but here I — as an attacker — can hijack email addresses by confirming the ownership of email (account).” Exploiting the hack, an attacker can send email as if it was being sent from the compromised account. In addition, the attacker could have email forwarded to the compromised Gmail address.
The hack has one big prerequisite, however. The Gmail account targeted for hijacking must either be blocking emails sent from the attacker’s account, or be deactivated or be tied to a nonexistent Gmail account. Under these scenarios, Mehtab was able to send email as email@example.com and firstname.lastname@example.org.
Google confirmed with Threatpost both the vulnerability and fixing the flaw.
What the attack did not appear to allow Mehtab to do, based on a technical description of the hack posted by Mehtab, is access the contents of the targeted Gmail account or access related Google Account services such as Google Drive, Photos and Play where personal and financial information is stored.
The hack is tied to the way Google handles linking a primary Gmail account to another email address to allow the function of message forwarding and using email aliases. In a video, above, Mehtab shows how he was able to trick Google into adding an email account to an existing account.
To pull off the hack, Mehtab first went to his Gmail’s Settings menu and selected the “Send Mail As” option and selecting the “Use Gmail to send from your other email addresses” and select “Treat as an alias.” From here, as the video shows, Mehtab forces Google to send a verification email to add the Gmail address to his account to the nonexistent Gmail address that delivers a bounce back email message. Now Mehtab can access that bounce back message and pluck out the verification code number and successfully add the account to his Gmail account.
“Any Gmail address which is associated or connected with Gmail’s SMTP was vulnerable to this security issue,” Mehtab wrote. That includes @gmail.com, @googlemail.com or @googleemail.com, according to Mehtab.
“There is a scenario where attacker can trick victim in deactivating his account or attacker can also trick victim in blocking his email address,” he said. “Once he does that we can hijack his email address easily.”
Mehtab disclosed the bug to Google on Oct. 20. Google addressed the flaw the same day. On Nov. 1, Google added the bug to its “Hall of Fame,” according to Mehtab. “One of the sad part in this research is that, i was not rewarded for such a serious security issue but they acknowledged my research and listed me in Hall of fame,” he noted in his blog outlining his research.