A security researcher has uncovered what Google has described as a “high impact” bug in its account recovery process, which could have potentially allowed hackers to trick users into handing over their passwords.
White-hat hacker Oren Hafif found the security hole, which has now been fixed by Google.
On his blog, Hafif describes how the security hole could be exploited, and made a video (blessed with a suitably funky beat) demonstrating how it could work.
Hafif’s demonstration of how to steal a Google password starts simply enough – with a fairly normal looking phishing email, claiming to come from Google.
The link really takes the intended victim to a website under the hacker’s control.
But only very briefly (the user most likely wouldn’t even notice), as that site quickly performs a Cross-site request forgery (CSRF), launching a cross-site scripting (XSS) attack which fools Google into believing that the user has requested a password reset, as if they were having trouble logging in.
You really are on an HTTPS Google.com webpage at this point.
And yet, the hacker is able to grab information about what you enter as your new password, and cookie information related to your account.
Fortunately, Hafif is one of the good guys rather than a malicious attacker, and so he informed Google of the serious security hole.
Within 10 days, Google had fixed the problem. So stop thinking that you can abuse this flaw for your own nefarious, law-breaking purposes.
Google’s Sebastian Roschke confirmed on Google Plus that Hafif will receive a bug bounty under the Google Vulnerability Reward Program for his trouble, and a place in the company’s Hall of Fame.
Learn more of the nitty-gritty about the Google Account Recovery security hole by reading Oren Hafif’s blog on the subject.
Hi Graham, First time to visit. Thank You for letting the Google users such as myself, learn about the recent issues and some other noted, past issues with Google. Really enjoyed your article and information. In the case of Oren Hafif's discovery of the "hole/flaw" in the Google security dealing with passwords, Iam especially grateful. I recently started the process of both updating my layers of passwords within my computer as well as utilizing the Google overlapping account password verification-notification process. NOT sure how often the good guys get thanks for keeping an "Eye" on things? Here's ONE BIG THANK YOU! I signed up for your site as well! Rocky
Hi Graham, First time to visit. Thank You for letting the Google users such as myself, learn about the recent issues and some other noted, past issues with Google. Really enjoyed your article and information. In the case of Oren Hafif's discovery of the "hole/flaw" in the Google security dealing with passwords, Iam especially grateful. I recently started the process of both updating my layers of passwords within my computer as well as utilizing the Google overlapping account password verification-notification process. NOT sure how often the good guys get thanks for keeping an "Eye" on things? Here's ONE BIG THANK YOU! I signed up for your site as well! meet
All my accounts have been hacked. This has been one of the most evil thing I've experienced in my life. I pray it's not someone I know. I feel violated, angry and sad for whoever has done this. Please help me for this has been going on for months and now I know how it feels to have your identity stolen. Please help in any way that is legally possible.
Thank You, Linda
December 12, 2015