Hacker finds flaw in Gmail allowing anyone to hack any email account
November 7, 2016
Seid Yassin (557 articles)

Hacker finds flaw in Gmail allowing anyone to hack any email account

It is a well-known fact that Google loves to give novice programmers, white hat hackers and security researchers an opportunity to prove their skills and capabilities by participating in Google’s Vulnerability Reward program.
Google invites researchers from all across the globe to find out flaws in its newest or existing applications, extensions, software and operating system that are available at Google Play, Chrome Web Store and/or iTunes. In return, the successful candidate is awarded prizes. The core objective of these programs is to make Google’s apps and systems more protected and secure.

However, it isn’t an easy feat to accomplish since to qualify for Google’s VRP, it was vital that the bug/vulnerability is identified in any of these categories mentioned below:

“Cross-site scripting,

Cross-site request forgery,

Mixed-content scripts,

Authentication or authorization flaws,

Server-side code execution bugs”

When the vulnerability is identified as a valid one, the hacker can expect to receive up to $20,000 by Google.

Ahmed Mehtab, a student from Pakistan and the CEO of Security Fuse, is the latest to win this prize money by Google. Mehtab discovered a flaw in Gmail’s authentication or verification methods.

If a user has more than one email address, Google lets the user link all of the addresses and also lets emails of the primary account be forwarded to secondary accounts.

Mehtab identified an inherent flaw in the verification bypass method adopted by Google for switching and linking email addresses, which leads to the hijacking of the email IDs. He discovered that the email addresses became vulnerable to hijacking when one of the following conditions occurs:

* When the SMTP of the recipient is offline

* The email has been deactivated by the recipient

* Recipient doesn’t exist or invalid email ID

* The recipient does exist but has blocked the sender

Here is how hijacking can be conducted: the attacker tries to verify the ownership status of an email address by emailing Google. Google sends an email to that address for verification. The email address cannot receive the email and hence, Google’s mail is sent back to the actual sender and this time it contains the verification code. This verification code will be used by the hacker and the ownership to that particular address will be confirmed.

This is not the first time when a Pakistani hacker has reported such critical security flaws. Previously, security researcher Rafay Baloch was paid $5000 as a bug bounty for reporting critical flaws in Chrome and FireFox plus $10,000 for exposing a Code Execution / Command Execution vulnerability in PayPal that allowed hackers to execute any command on the server.


This article has been corrected with an update after being contacted by Ahmed stating that he actually didn’t receive the bug bounty amount yet however one can expect a sum of $20,000 based on Google’s bug bounty payment program.

Source | hackread