Pakistani Hacker Discovers Vulnerability in Gmail to Hack any ID

Advertisement

Google is trying to secure its systems from bugs by giving prizes to those who could find such a vulnerability that can be exploited by hackers.
Recently, Google listed a in its ‘Hall of fame’ for his contribution in the ‘Vulnerability Reward Program

Pakistani student Ahmed Mehtab

’ of Google.

Ahmed Mehtab’s Contribution

You can link your multiple email addresses in Google while Google also provides forwarding addresses feature through which emails of primary accounts can be forwarded to other accounts.

 

Ahmed Mehtab ahs just proved that these methods can create problems for verification bypass or authentication.

It can happen with one of the following scenarios.

  • If recipients smtp is offline.
  • If recipient have deactivated his email.
  • If recipient does not exist.
  • If recipient exists but have blocked us.

The complete procedure is listed below.

  • Attacker try’s to confirm ownership of xyz@gmail.com.
  • Google sends email to xyz@gmail.com for confirmation.
  • xyz@gmail.com is not capable to receive email so email is bounced back to sender
  • This bounced email will have the verification code
  • Attacker takes that verification code and confirms his ownership to xyz@gmail.com.

 About Google’s Vulnerability Reward Program (VRP)

This program was initiated by Google in order to highlight such vulnerabilities in Google owned sites that can be hacked. It also includes apps developed by Google and extensions like Chrome Web Store, Google Play and iTunes.

 

The bug should lie in one of the following categories to qualify for VRP.

  • Cross-site scripting,
  • Cross-site request forgery,
  • Mixed-content scripts,
  • Authentication or authorization flaws,
  • Server-side code execution bugs.

If a person informs about the vulnerabilities and its details then Google rewards him with $20,000.





Advertisement

Comments are closed.