Google is trying to secure its systems from bugs by giving prizes to those who could find such a vulnerability that can be exploited by hackers.
Recently, Google listed a in its ‘Hall of fame’ for his contribution in the ‘Vulnerability Reward Program
’ of Google.
Ahmed Mehtab’s Contribution
You can link your multiple email addresses in Google while Google also provides forwarding addresses feature through which emails of primary accounts can be forwarded to other accounts.
Ahmed Mehtab ahs just proved that these methods can create problems for verification bypass or authentication.
It can happen with one of the following scenarios.
- If recipients smtp is offline.
- If recipient have deactivated his email.
- If recipient does not exist.
- If recipient exists but have blocked us.
The complete procedure is listed below.
- Attacker try’s to confirm ownership of [email protected].
- Google sends email to [email protected] for confirmation.
- [email protected] is not capable to receive email so email is bounced back to sender
- This bounced email will have the verification code
- Attacker takes that verification code and confirms his ownership to [email protected].
About Google’s Vulnerability Reward Program (VRP)
This program was initiated by Google in order to highlight such vulnerabilities in Google owned sites that can be hacked. It also includes apps developed by Google and extensions like Chrome Web Store, Google Play and iTunes.
The bug should lie in one of the following categories to qualify for VRP.
- Cross-site scripting,
- Cross-site request forgery,
- Mixed-content scripts,
- Authentication or authorization flaws,
- Server-side code execution bugs.
If a person informs about the vulnerabilities and its details then Google rewards him with $20,000.