Social Media Advertising

Pakistani Hacker Discovers Vulnerability in Gmail that Allowed Hijacking of Any Email ID

Pakistani Hacker Discovers Vulnerability in Gmail that Allowed Hijacking of Any Email ID

Google took an initiative to make their applications and systems more secure by awarding prizes to anyone who found a legitimate bug which could be exploited.

Recently Ahmed Mehtab, a Pakistani student and CEO at Security Fuss, was listed in Google’s Hall of Fame for his contribution in Google’s Vulnerability Reward Program.

Ahmed Mehtab’s profile listed in Google Vulnerability Reward Program Hall of Fame

Ahmed Mehtab’s Contribution

If you have more than one email address, Google allows the facility to associate or link them. Another feature that Google provides forwarding addresses, to which emails of the primary account can be forwarded to.

Ahmed Mehtab found a way to prove that these methods were actually vulnerable to authentication or verification bypass.

It is only possible if one of the following cases is true:

  • If recipients smtp is offline.
  • If recipient have deactivated his email.
  • If recipient does not exist.
  • If recipient exists but have blocked us.

Furthermore, the procedure is as following:

  • Attacker try’s to confirm ownership of xyz@gmail.com.
  • Google sends email to xyz@gmail.com for confirmation.
  • xyz@gmail.com is not capable to receive email so email is bounced back to sender
  • This bounced email will have the verification code
  • Attacker takes that verification code and confirms his ownership to xyz@gmail.com.

About Google’s Vulnerability Reward Program (VRP)

Google started this program to highlight bugs and other hacking vulnerabilities faced by Google-owned web service.

The scope also included Google-developed apps and extensions published in Google Play, iTunes or Chrome Web Store.

For the vulnerability to qualify for VRP, the bug has to lie in one of the following categories:

  • Cross-site scripting,
  • Cross-site request forgery,
  • Mixed-content scripts,
  • Authentication or authorization flaws,
  • Server-side code execution bugs.

Whoever highlights the vulnerabilities and creates a guide on how it can be exploited can earn up to $20,000 from Google as a reward.

Via SecurityFuse

An auto and football enthusiast, you can contact Syed Zarar at syed.zarar@propakistani.pk. For more discussions, contact him on Facebook (fb.com/TacticallyInept). He tweets at: @TacticallyInept.

Share
Published by
Syed Zarar
November 2, 2016 12:04 pm

Related Post

Recent Posts

Amir Khan Meets COAS Asim Munir Amid Boxing Training Academy Dispute

May 4, 2024

PTA is Against Blocking SIM Cards for Non-Filers

May 4, 2024

SmackDown In France Becomes Highest Grossing WWE Event Of All Time

May 4, 2024

Ten Most Destructive T20I Batters Since the 2022 T20 World Cup

May 4, 2024

Vivo Y100 4G Launches in Several Asian Countries for $250

May 4, 2024

Illegal Bus Stops to be Relocated Outside Karachi

May 4, 2024