A security researcher Oren Hafif has discovered a critical vulnerability in the password-reset system by Gmail. It allows attacker to get access of Gmail accounts of any user.
He demonstrated this attack leveraging Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass and tricking Google users into handing over their passwords via a simple spear-phishing attack.
Following are the steps in the attack
1. Select a target and compose an email which will look like email from Gmail Team.
2. Ask the user to confirm ownership of the account by clicking on a link.
3. Take the password from the user. [Most of the anti-phishing algorithms will fail here because the link redirects to https://www.google.com/… Same domain and keeps the user on the same domain through the attack.] {This is done using Cross-site request forgery (CSRF), }
4. Once the user enters the password, grab the password and cookies using XSS attack and tell the users that they have been hacked.
Following video includes the demonstration.
Mr. Hafif reported this issue to Google Security Engineers and they have fixed this bug now. They have also awarded Mr. Hafif $5100 under their Bug Bounty Program.