Pakistani hacker found a vulnerability in Gmail’s verification process that allowed hijacking of any email account
In order to keep users safe from cyberattacks, several major websites have implemented bug bounty programs to give novice programmers, white hat hackers and security researchers an opportunity to discover and resolve bugs before the general public is aware of them, thereby preventing incidents of widespread abuse.
One such website is Google that invites researchers worldwide to find out flaws in its newest or existing applications, extensions, software and operating system that are available at Google Play, Chrome Web Store and/or iTunes and awards prizes to anyone who finds a legitimate bug which could be exploited. The main objective of these programs is to make Google’s applications and systems more secure and protected.
Recently, Ahmed Mehtab, a Pakistani student and CEO at Security Fuss, was listed in Google’s Hall of Fame for his contribution in Google’s Vulnerability Reward Program (VRP).
In order for Ahmed to qualify for Google’s VRP, it was important that the identified bug or vulnerability falls in any one of the categories mentioned below. If the vulnerability is identified as a valid one, the hacker can expect to receive up to $20,000 by Google as a reward.
- Cross-site scripting
- Cross-site request forgery
- Mixed-content scripts
- Authentication or authorization flaws
- Server-side code execution bugs
If a user has more than one email address, Google allows the facility to associate or link all of the addresses and also allows forwarding addresses, to which emails of the primary account can be forwarded to.
Ahmed found a way to prove that these methods adopted by Google were actually vulnerable to authentication or verification bypass, which leads to the hijacking of the email IDs.
However, it is possible only if one of the following cases is true:
- Recipient of the SMTP is offline.
- If recipient has deactivated his email.
- Recipient doesn’t exist or invalid email ID.
- The recipient exists but has blocked the sender.
Further, here is how hijacking is carried out:
- Attacker tries to confirm ownership of an email address by emailing Google.
- Google sends an email to that address for confirmation.
- The email address is not capable to receive email and hence, email is bounced back to the actual sender.
- The bounced email will contain the verification code.
- Attacker takes that verification code and confirms his ownership to that particular address.
This is not the first time when a Pakistani hacker has reported such serious security flaws. Earlier, security researcher Rafay Baloch was paid $5000 as a bug bounty for reporting dangerous flaws in Chrome and FireFox along with $10,000 for revealing a Code Execution/Command Execution vulnerability in PayPal that allowed hackers to execute any command on the server.