Skip to content ↓ | Skip to navigation ↓

Security Researcher Oren Hafif disclosed a serious vulnerability in Google’s popular Gmail offering which could have given attackers the opportunity to steal login credentials of users by way of a flaw in the password recovery process.

The exploit begins with a phishing email crafted to appear as a notification from Google which presents the target with a malicious link which initiates a Cross-site request forgery (CSRF) attack that makes the target believe they have made a password reset request.

The user may be may be unaware of the attack because they end up on a legitimate Google page which displays a secure HTTPS URL, but the attacker is still able to extract the new login credentials as the target enters them, as well as sniffing out the cookie issued.

Under certain circumstances, Google will require a CAPTCHA to prevent a CSRF attack, but the security precaution was flawed.

“The problem is that you only see this if this particular account was abused or your IP address is an abusing address. You should put CSRF protection on all data changing forms. If you rely on CAPTCHA’s as CSRF protection, make it consistent,” Hafif wrote.

Hafif reported the problem to Google, and they fixed it in little more than a week. The attack process is detailed on Hafif’s blog, and included is a video demonstration of the exploit.

Read more Here…