Pakistani Hacker Discovers Vulnerability in Gmail that Allowed Hijacking of Any Email ID

Google took an initiative to make their applications and systems more secure by awarding prizes to anyone who found a legitimate bug which could be exploited.

Recently Ahmed Mehtab, a Pakistani student and CEO at Security Fuss, was listed in Google’s Hall of Fame for his contribution in Google’s Vulnerability Reward Program.

capture

Ahmed Mehtab’s profile listed in Google Vulnerability Reward Program Hall of Fame

Ahmed Mehtab’s Contribution

If you have more than one email address, Google allows the facility to associate or link them. Another feature that Google provides forwarding addresses, to which emails of the primary account can be forwarded to.

Ahmed Mehtab found a way to prove that these methods were actually vulnerable to authentication or verification bypass.

It is only possible if one of the following cases is true:

  • If recipients smtp is offline.
  • If recipient have deactivated his email.
  • If recipient does not exist.
  • If recipient exists but have blocked us.

Furthermore, the procedure is as following:

About Google’s Vulnerability Reward Program (VRP)

Google started this program to highlight bugs and other hacking vulnerabilities faced by Google-owned web service.

The scope also included Google-developed apps and extensions published in Google Play, iTunes or Chrome Web Store.

For the vulnerability to qualify for VRP, the bug has to lie in one of the following categories:

  • Cross-site scripting,
  • Cross-site request forgery,
  • Mixed-content scripts,
  • Authentication or authorization flaws,
  • Server-side code execution bugs.

Whoever highlights the vulnerabilities and creates a guide on how it can be exploited can earn up to $20,000 from Google as a reward.

Via SecurityFuse

An auto and football enthusiast, you can contact Syed Zarar at [email protected] For more discussions, contact him on Facebook (fb.com/TacticallyInept). He tweets at: @TacticallyInept.

Sports Analyst & Head of Sports Desk.


  • Delivery to the following recipient failed permanently:

    [email protected]

    Technical details of permanent failure:

    Google tried to deliver your message, but it was rejected by the server for the recipient domain gmail.com by gmail-smtp-in.l.google.com. [2a00:1450:4010:c07::1b].

    The error that the other server returned was:

    550-5.1.1 The email account that you tried to reach does not exist. Please try

    550-5.1.1 double-checking the recipient’s email address for typos or

    550-5.1.1 unnecessary spaces. Learn more at

    550 5.1.1 https://support.google.com/mail/?p=NoSuchUser q16si193628lfa.368 – gsmtp

    —– Message suppressed —–

  • why would they send the verification email from the user’s account? That is the mistake they made. Emails from google usually come from an address like [email protected] and that is the account where they’ll go when they bounce not any user’s account.

    • Verification is necessary to confirm ownership of account but they were bouncing back message of failure notification with Confirmation Code. Which was really a serious issue , even though they fixed it within 24 hours after i reported

  • Type in Para 2 – Recently Ahmed Mehtab, a Pakistani student and CEO at *Security Fuss*, It is Security Fuse!


  • >