Security News Gmail Verification Vulnerability (Status: Fixed)

[Ink]

A student and security researcher from Pakistan has found a serious issue with Gmail that makes it possible for a hacker to take over any email address.

The vulnerability relates to the way Google handles the linking of a primary Gmail account to another email address for the purposes of message forwarding. In just a few steps it was -- before Google fixed the problem -- possible to take over ownership of an email address by tricking the system into sending out the necessary verification code.

Ahmed Mehtab Blog: Gmail Account Hijacking Vulnerability | Ahmed Mehtab | Security Fuse

The video below goes into a little more detail:

• Attacker tries to confirm ownership of xyz@gmail.com
• Google sends email to xyz@gmail.com for confirmation
• xyz@gmail.com is not capable of receiving email, so email is bounced back to Google
• Google gives attacker a failure notification in his inbox with the verification code
• Attacker takes that verification code and confirms his ownership to xyz@gmail.com

 

[ForgottenSeer 55474]

THAT was very scaring,how can you avoid something like this

 

[SHvFl]

THAT was very scaring,how can you avoid something like this

It's fixed and no longer does that so nothing to avoid. You can't avoid a recovery system it's up to the developers to do it.

 

[Dirk41]

The person who found the flaw, Ahmed Mehtab, explains the conditions in which the flaw can be exploited:

• If recipient’s SMTP is offline
• If recipient has deactivated his email
• If recipient does not exist
• If recipient exists but has blocked a user

I don't know what the first point means , but it 's highly improbable my account is blocked , not exist or is deactivated