Pakistani hacker found a vulnerability in Gmail’s verification process that allowed hijacking of any email account
Pakistani hacker found a vulnerability in Gmail’s verification process that allowed hijacking of any email account.
In order to keep users safe from cyberattacks, several major websites have implemented bug bounty programs to give novice programmers, white hat hackers and security researchers an opportunity to discover and resolve bugs before the general public is aware of them, thereby preventing incidents of widespread abuse.
One such website is Google that invites researchers worldwide to find out flaws in its newest or existing applications, extensions, software and operating system that are available at Google Play, Chrome Web Store and/or iTunes and awards prizes to anyone who finds a legitimate bug which could be exploited. The main objective of these programs is to make Google’s applications and systems more secure and protected.
Recently, Ahmed Mehtab, a Pakistani student and CEO at Security Fuss, was listed in Google’s Hall of Fame for his contribution in Google’s Vulnerability Reward Program (VRP).
In order for Ahmed to qualify for Google’s VRP, it was important that the identified bug or vulnerability falls in any one of the categories mentioned below. If the vulnerability is identified as a valid one, the hacker can expect to receive up to $20,000 by Google as a reward.
If a user has more than one email address, Google allows the facility to associate or link all of the addresses and also allows forwarding addresses, to which emails of the primary account can be forwarded to.
Ahmed found a way to prove that these methods adopted by Google were actually vulnerable to authentication or verification bypass, which leads to the hijacking of the email IDs.
However, it is possible only if one of the following cases is true:
Further, here is how hijacking is carried out:
This is not the first time when a Pakistani hacker has reported such serious security flaws. Earlier, security researcher Rafay Baloch was paid $5000 as a bug bounty for reporting dangerous flaws in Chrome and FireFox along with $10,000 for revealing a Code Execution/Command Execution vulnerability in PayPal that allowed hackers to execute any command on the server.