Skip to content ↓ | Skip to navigation ↓

Security Researcher Oren Hafif disclosed a serious vulnerability in Google’s popular Gmail offering which could have given attackers the opportunity to steal login credentials of users by way of a flaw in the password recovery process.

The exploit begins with a phishing email crafted to appear as a notification from Google which presents the target with a malicious link which initiates a Cross-site request forgery (CSRF) attack that makes the target believe they have made a password reset request.

The user may be may be unaware of the attack because they end up on a legitimate Google page which displays a secure HTTPS URL, but the attacker is still able to extract the new login credentials as the target enters them, as well as sniffing out the cookie issued.

Under certain circumstances, Google will require a CAPTCHA to prevent a CSRF attack, but the security precaution was flawed.

“The problem is that you only see this if this particular account was abused or your IP address is an abusing address. You should put CSRF protection on all data changing forms. If you rely on CAPTCHA’s as CSRF protection, make it consistent,” Hafif wrote.

Hafif reported the problem to Google, and they fixed it in little more than a week. The attack process is detailed on Hafif’s blog, and included is a video demonstration of the exploit.

Read more Here…

Hacking Point of Sale
  • Gmail suffered a temporary malfunction on Friday.
    Support for the social network Google+, including Hangouts, were in addition interrupted. In accordance with Reuters, the services were unavailable in India, Britain along with the Us. Customers looking to sign into Gmail were greeted with an error message.
    On Twitter, customers complained that they could not access their e-mail. The hashtag #whengmailwasdown were connected to jokes concerning having to sign onto chat providers supplied by AOL. Yahoo Inc. posted a screenshot of Gmail's error message on their Twitter account.