A security researcher has uncovered what Google has described as a “high impact” bug in its account recovery process, which could have potentially allowed hackers to trick users into handing over their passwords.
White-hat hacker Oren Hafif found the security hole, which has now been fixed by Google.
On his blog, Hafif describes how the security hole could be exploited, and made a video (blessed with a suitably funky beat) demonstrating how it could work.
Hafif’s demonstration of how to steal a Google password starts simply enough – with a fairly normal looking phishing email, claiming to come from Google.
The link really takes the intended victim to a website under the hacker’s control.
But only very briefly (the user most likely wouldn’t even notice), as that site quickly performs a Cross-site request forgery (CSRF), launching a cross-site scripting (XSS) attack which fools Google into believing that the user has requested a password reset, as if they were having trouble logging in.
You really are on an HTTPS Google.com webpage at this point.
And yet, the hacker is able to grab information about what you enter as your new password, and cookie information related to your account.
Fortunately, Hafif is one of the good guys rather than a malicious attacker, and so he informed Google of the serious security hole.
Within 10 days, Google had fixed the problem. So stop thinking that you can abuse this flaw for your own nefarious, law-breaking purposes.
Learn more of the nitty-gritty about the Google Account Recovery security hole by reading Oren Hafif’s blog on the subject.