Security researcher Oren Hafif recently uncovered a vulnerability that tricks Gmail users into giving away their passwords.
Walking through the Account Recovery process found at https://www.google.com/accounts/recovery/, Hafif discovered the vulnerability.
In Hafif’s blog post, he noted that Google could improve for Cross-Site Request Forgery (CSRF) protection to include consistent use of CAPTCHAs, or those obscure images used to tell bots and humans apart.
An example of a common CAPTCHA
Eventually, Hafif used a phishing email to launch a Cross-site scripting (XSS) attack. In the video below, Hafif demonstrates the exploit from start to finish.
The link in the phishing email first takes you to the hacker’s website, but this probably wouldn’t be noticed by the quick redirect.
The flaw has since been fixed by Google, taking 10 days to remedy according to Hafif.
Reports such as these only serve to confirm that no application is perfectly secure. However, it is still comforting to know there are white-hat researchers that are reporting those affecting major services like Google.
For responsibly disclosing the vulnerability, Hafif will be rewarded under the Google Vulnerability Reward Program (found here).
Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. Follow him on Twitter @joshcannell