A vulnerability in Gmail's verification system potentially allowed hackers to hijack accounts, according to security researcher Ahmed Mehtab. Google has already patched the vulnerability, which allowed attackers to take controlof user accounts in a few simple steps.
Mehtab, co-founder of Security Fuse, uncovered that hackers could exploit the vulnerability, effectively allowing attackers to bypass the verification feature in Gmail that allows users to send an email from a second Gmail account.
"Gmail allows its users from all over the world to use multiple email addresses and associate or link them with Gmail also Gmail allows you to set forwarding addresses so the emails which you receive are also sent to the one which you have forwarded. These two modules were actually vulnerable to authentication or verification bypass. It's similar to account takeover but here I as an attacker can hijack email addresses by confirming the ownership of email and was able to use it for sending emails," Mehtab said.
Google confirmed the vulnerability as well as its fix to Threatpost. Although the hack did provide Mehtab with the ability to takeover an account, it did not appear to provide him with the ability to access the contents of a compromised account. Google Drive, Photos and Play data, where user financial and personal information is generally stored were also inaccessible.
According to Mehtab, "Any Gmail address which is associated or connected with Gmails SMTP was vulnerable to this security issue." This includes @gmail.com, @googlemail.com or @googleemail.com."
"There is a scenario where attacker can trick victim in deactivating his account or attacker can also trick victim in blocking his email address so that he may not be able to receive emails from outside and once he does that we can hijack his email address easily because gmail was bouncing back the email which contains the verification code. Moreover the Forwarding section also requires a confirmation which was also affected," Mehtab added.
The bug was disclosed to Google on 20 October. The tech giant was quick to address the issue and on 1 November, Mehtab's research was listed on the firm's "Hall of Fame".