Google took an initiative to make their applications and systems more secure by awarding prizes to anyone who found a legitimate bug which could be exploited.
Recently Ahmed Mehtab, a Pakistani student and CEO at Security Fuss, was listed in Google’s Hall of Fame for his contribution in Google’s Vulnerability Reward Program.
Ahmed Mehtab’s profile listed in Google Vulnerability Reward Program Hall of Fame
Ahmed Mehtab’s Contribution
If you have more than one email address, Google allows the facility to associate or link them. Another feature that Google provides forwarding addresses, to which emails of the primary account can be forwarded to.
Ahmed Mehtab found a way to prove that these methods were actually vulnerable to authentication or verification bypass.
It is only possible if one of the following cases is true:
- If recipients smtp is offline.
- If recipient have deactivated his email.
- If recipient does not exist.
- If recipient exists but have blocked us.
Furthermore, the procedure is as following:
- Attacker try’s to confirm ownership of [email protected].
- Google sends email to [email protected] for confirmation.
- [email protected] is not capable to receive email so email is bounced back to sender
- This bounced email will have the verification code
- Attacker takes that verification code and confirms his ownership to [email protected].
About Google’s Vulnerability Reward Program (VRP)
Google started this program to highlight bugs and other hacking vulnerabilities faced by Google-owned web service.
The scope also included Google-developed apps and extensions published in Google Play, iTunes or Chrome Web Store.
For the vulnerability to qualify for VRP, the bug has to lie in one of the following categories:
- Cross-site scripting,
- Cross-site request forgery,
- Mixed-content scripts,
- Authentication or authorization flaws,
- Server-side code execution bugs.
Whoever highlights the vulnerabilities and creates a guide on how it can be exploited can earn up to $20,000 from Google as a reward.
Via SecurityFuse
An auto and football enthusiast, you can contact Syed Zarar at [email protected]. For more discussions, contact him on Facebook (fb.com/TacticallyInept). He tweets at: @TacticallyInept.
Delivery to the following recipient failed permanently:
[email protected]
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain gmail.com by gmail-smtp-in.l.google.com. [2a00:1450:4010:c07::1b].
The error that the other server returned was:
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient’s email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 https://support.google.com/mail/?p=NoSuchUser q16si193628lfa.368 – gsmtp
—– Message suppressed —–
It has been patched by Google since i reported and they acknowledged
WOW Proud to be pakistani :)
Proud to be pakistani
Well done :)
Thanks Dear :)
Great! Well Done brother!!!!
Well done man, proud of you dude..!
Keep up the good work (Y)
Good job dude. You deserve that 20 grand.
Well done Ahmed Mehtab
You showed the bright side of Pakistani people to world
Hats off (Y)
Well Done Brother!!!
why would they send the verification email from the user’s account? That is the mistake they made. Emails from google usually come from an address like [email protected] and that is the account where they’ll go when they bounce not any user’s account.
Their mistake i suppose! :) still, Ahmed Mehtab did a good job :v
Verification is necessary to confirm ownership of account but they were bouncing back message of failure notification with Confirmation Code. Which was really a serious issue , even though they fixed it within 24 hours after i reported
Typo in bullet point 3 — “dose not exist” — should be “does”
Good work bro.
good job man (y)
Type in Para 2 – Recently Ahmed Mehtab, a Pakistani student and CEO at *Security Fuss*, It is Security Fuse!