A student and security researcher from Pakistan has found a serious issue with Gmail that makes it possible for a hacker to take over any email address.
The vulnerability relates to the way Google handles the linking of a primary Gmail account to another email address for the purposes of message forwarding. In just a few steps it was -- before Google fixed the problem -- possible to take over ownership of an email address by tricking the system into sending out the necessary verification code.
Ahmed Mehtab Blog: Gmail Account Hijacking Vulnerability | Ahmed Mehtab | Security Fuse
The video below goes into a little more detail:
The vulnerability relates to the way Google handles the linking of a primary Gmail account to another email address for the purposes of message forwarding. In just a few steps it was -- before Google fixed the problem -- possible to take over ownership of an email address by tricking the system into sending out the necessary verification code.
Ahmed Mehtab Blog: Gmail Account Hijacking Vulnerability | Ahmed Mehtab | Security Fuse
The video below goes into a little more detail:
- Attacker tries to confirm ownership of xyz@gmail.com
- Google sends email to xyz@gmail.com for confirmation
- xyz@gmail.com is not capable of receiving email, so email is bounced back to Google
- Google gives attacker a failure notification in his inbox with the verification code
- Attacker takes that verification code and confirms his ownership to xyz@gmail.com
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
