Oren Hafif, a security researcher has discovered a critical vulnerability in the Password reset process of Google account that allows an attacker to hijack any account.
He managed to trick Google users into handing over their passwords via a simple spear-phishing attack by leveraging a number of flaws i.e. Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass.
In a proof of concept video demonstration, the attacker sends his victim a fake “Confirm account ownership” email, claiming to come from Google.
The link mention in the mail instructs the recipient to confirm the ownership of the account and urged user to change their password.
The link from the email apparently points to a HTTPS google.com URL, but it actually leads the victim to the attacker’s website because of CSRF attack with a customized email address.
The Google HTTPS page will will ask the victim to confirm the ownership by entering his last password and then will ask to reset your password.
But in actuality the hacker has grabbed your new password and cookie information using an XSS attack at this step.
Hafif informed the Google Security engineers with the details of this serious security vulnerability and Google has now addressed the issues. Google has rewarded Mr. Hafif with $5,100 under their Bug Bounty Program.
