| Filename | Hacking Gmail accounts with password reset system vulnerability |
| Permission | rw-r--r-- |
| Author | Unknown |
| Date and Time | 11/23/2013 |
| Label | Cyber News| Penetration |
| Action |
Ethical Hacking Institute in Pune
./Arizona Team
Oren Hafif, a security researcher has discovered a critical vulnerability in the Password reset process of Google account that allows an attacker to hijack any account
He managed to trick Google users into handing over their passwords via a simple spear-phishing attack by leveraging a number of flaws i.e. Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass.
In a proof of concept video demonstration, the attacker sends his victim a fake “Confirm account ownership” email, claiming to come from Google
The link mention in the mail instructs the recipient to confirm the ownership of the account and urged user to change their password.
The link from the email apparently points to a HTTPS google.com URL, but it actually leads the victim to the attacker’s website because of CSRF attack with a customized email address.
The Google HTTPS page will will ask the victim to confirm the ownership by entering his last password and then will ask to reset your password.
But in actuality the hacker has grabbed your new password and cookie information using an XSS attack at this step.
Video demonstration:
Hafif informed the Google Security engineers with the details of this serious security vulnerability and Google has now addressed the issues. Google has rewarded Mr. Hafif with $5,100 under their Bug Bounty Program.
www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune
./Arizona Team
Oren Hafif, a security researcher has discovered a critical vulnerability in the Password reset process of Google account that allows an attacker to hijack any account
He managed to trick Google users into handing over their passwords via a simple spear-phishing attack by leveraging a number of flaws i.e. Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass.
In a proof of concept video demonstration, the attacker sends his victim a fake “Confirm account ownership” email, claiming to come from Google
The link mention in the mail instructs the recipient to confirm the ownership of the account and urged user to change their password.
The link from the email apparently points to a HTTPS google.com URL, but it actually leads the victim to the attacker’s website because of CSRF attack with a customized email address.
The Google HTTPS page will will ask the victim to confirm the ownership by entering his last password and then will ask to reset your password.
But in actuality the hacker has grabbed your new password and cookie information using an XSS attack at this step.
Video demonstration:
Hafif informed the Google Security engineers with the details of this serious security vulnerability and Google has now addressed the issues. Google has rewarded Mr. Hafif with $5,100 under their Bug Bounty Program.
www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune