GMAIL ACCOUNT HIJACKING VULNERABILITY | AHMED MEHTAB

TUESDAY, NOVEMBER 1, 2016 BY AHMED MEHTAB 5 COMMENTS

Introduction
Gmail allows its users from all over the world to use multiple email addresses and associate or link them with Gmail also Gmail allows you to set forwarding addresses so the emails which you receive are also sent to the one which you have forwarded. These two modules were actually vulnerable to authentication or verification bypass. It’s similar to account takeover but here i as an attacker can hijack email addresses by confirming the ownership of email and was able to use it for sending emails.

Technical Details
If you click on the gear button in Gmail and after you will see two modules there one with a name of ” Account and Import ” > ” Send Mail As ” and Forwarding Module was affected. This is a logical vulnerability which allowed me to hijack email addresses from Gmail. Any Gmail address which is associated or connected with Gmails SMTP was vulnerable to this security issue. It could be @gmail.com or @googlemail.com or @googleemail.com etc. We are aware of the fact that Gmail gives us report regarding the mail delivery if email was sent or not, Likely if we send email to any email addresses which dose not exist or is offline Gmail will bounce back a message with a subject of Delivery Status Notification which contains the reason why Gmail actually failed to deliver your email to the recipient.

To hijack any email address there should be any of the following case in order to make it successful
If Recipients Smtp Is Offline
If Recipient Have Deactivated His Email
If Recipient Dose Not Exist
If Recipient Exists But Have Blocked Us
Cases Could Be Even More
In all of the above cases recipient wont be able to receive any email from our addresses and all i needed was a bounced Delivery Notification because Emails which were getting bounced back with a notification stating that your email wasn’t delivered for the following reason was also responsible for containing Verification Code and Activation Link with a complete message which was sent for verification to the given address which you want to associate with. Now that verification code could be used to verification and confirm the ownership of the email address, This actually which kills the concept of verification. Same procedure was also applied to Email forwarding module and i also found it vulnerable. All we need is addresses which is not capable to receive emails from our side referring to the cases mentioned above.

In the image shown above you can clearly see how Gmail was bouncing back the email which contains the content forwarded for verification to the recipient and contains link and code for verification to confirm ownership.

There is a scenario where attacker can trick victim in deactivating his account or attacker can also trick victim in blocking his email address so that he may not be able to receive emails from outside and once he dose that we can hijack his email address easily because gmail was bouncing back the email which contains the verification code. Moreover Forwarding section also requires a confirmation which was also affected.

Procedure
Attacker Try’s To Confirm Ownership Of [email protected]
Google Sends Email To [email protected] For Confirmation
[email protected] Is Not Capable To Receive Email So Email Is Bounced Back To Google
Google Gives Attacker A Failure Notification In His Inbox With The Verification Code
Attacker Takes That Verification Code And Confirms His Ownership To [email protected]

You can clearly see the procedure in the video which was recorded at the time when it was vulnerable

After confirming the ownership i was able to use it likely for sending emails and could be also used as an alias.

Timeline
20 OCT > Reported to Google
20 OCT > Report triggered
1 Nov > Report Acknowledged in Hall of Fame

HTTPS://BUGHUNTER.WITHGOOGLE.COM/CHARACTERLIST/23
HTTPS://BUGHUNTER.WITHGOOGLE.COM/PROFILE/C0F2A725-A6AF-4F6D-AF41-67BCBDBE37B2

UPDATE :-

Google have paid me 500$ for finding this vulnerability , this vulnerability was covered by different blogs and news channels. Some of them are listed below which includes Forbes , CNN , Kespersky blog , IB times UK and many more.

HTTP://WWW.FORBES.COM/SITES/LEEMATHEWS/2016/11/08/GMAIL-ATTACK-COULD-HIJACK-ACCOUNTS-IN-12-EASY-STEPS/
HTTP://WWW.IBTIMES.CO.UK/GOOGLE-PATCHES-GMAIL-VERIFICATION-FLAW-THAT-ALLOWED-ATTACKERS-TAKE-CONTROL-USER-ACCOUNTS-1590394
HTTPS://THREATPOST.COM/CLEVER-GMAIL-HACK-LET-ATTACKERS-TAKE-OVER-ACCOUNTS/121818/
HTTP://WWW.ITHOME.COM.TW/NEWS/109567
WWW.CNNTURK.COM/TEKNOLOJI/GMAILDE-HACK-SKANDALI

GMAILSHARE:
Ahmed Mehtab
Ahmed Mehtab
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna.
Related Articles

HOW DANGEROUS IT COULD BE IF YOUR G…

GMAIL ACCOUNT HIJACKING VULNERABILI…

GMAIL ACCOUNT HIJACKING VULNERABILI…
5 comments:

QUENTIN CRANTHORPE
This Comment Has Been Removed By The Author.

ReplyDelete

JAIDZER0
You Should Have Been Rewarded, That Is A Major Flaw. Thank You For Posting It.

ReplyDelete

HOSTFAT
Next Time Sell If For Some Bitcoin 😉

ReplyDelete

BO0OM
Fckin Genius

ReplyDelete

MOHAMMAD A EL-MUSLEH
Very Nice..

ReplyDelete

Hi , Please take a minute to say somthing about this post

Newer PostOlder Post
POPULAR POSTS

DECRYPT HANDSHAKE USING CRUNCH – KALI LINUX
Handshake Decryption Today You Will Learn How To Decrypt WEP / WPA / WPA2 Handshake Which You Captured In A .Cap File Indeed The Bes…

HOW TO CAPTURE WIFI HANDSHAKE IN KALI LINUX
Handshake Is Usually A Term Used To Describe The Transfer Of Confidential Information Between A Computer Or A Device Where There Is A …

GMAIL ACCOUNT HIJACKING VULNERABILITY | AHMED MEHTAB
Introduction Gmail Allows Its Users From All Over The World To Use Multiple Email Addresses And Associat…

WIFI PHISHING TUTORIAL – KALI LINUX
Wifi Phishing WiFi Phishing , Art Of Social Engineering. Many People Are Aware Of ” Phishing Attack ” Which In Terms Com…

HOW TO FIND IP ADDRESS BEHIND CLOUDFLARE
CloudFlare One Of The Most Popular Firewall Mostly Used For Protecting Servers And Web Applications From DDOS Attacks And To Improv…

SCAN WEBSITE VULNERABILITIES WITH UNISCAN – KALI LINUX
Uniscan UNISCAN A Popular Linux Based Tool For Scanning Vulnerabilities In Website Or Web Application Running On Server. Security Pent…

INFINIX SENDING DATA TO CHINA SUSPECTED BACKDOOR FOUND IN ANALYSIS
There Is No Doubt Infinix Mobile Phone’s Are Rocking In The Market Because Of Their Cheap Rate’s But When It Come’s To Securi…

OMNI RAT WHICH CAN TURN YOUR ANDROID PHONE INTO A HACKING MACHINE
RAT ( Remote Administration Tool ) Was Designed To Control And Monitor Activities Of Users Likely For Parents To Monitor The Activity Of The…

INFORMATION GATHERING USING WHATWEB – KALI LINUX
Information Gathering Welcome To The First Post On Security Fuse And We Wish You Best Of Luck For Your Career And Hope You Will Learn M…

HOW DANGEROUS IT COULD BE IF YOUR GMAIL ACCOUNT IS HACKED ?
Gmail One Of The Top Email Service Provider Also Known As Google Mail , Our Today Topic Is How Dangerous Could Be Your Gmail Account If H…
LABELS
ANALYSIS
ANDROID
BABEL FONT
BACKDOOR
BOOK
BRUTEFORCING
CEH COURSE
CERTIFICATION
CHINA
CLOUDFLARE
CRUNCH
CYBERDEFENSE
DECRYPT
DECRYPTING
DECRYPTION
DEFUSING
DIY
DNS
DNSMAP
EMAIL
EMAIL FORWARDER
EMAIL SPOOFING
GMAIL
HACK
HACKER
HACKING
HANDSHAKE
HIJACKING
HOW TO HACK
IIS
INFINIX
INFORMATION GATHERING
KAL
KALI
LINSET
LINU
LINUX
MALWARE
OMNI
OS DEFENSE
OTHER
PAKISTAN
PHISHING
RAFAY BALOCH
RAT
REMOTE
SECURITY MISS-CONFIGURATION
SECURITYPEDIA
SMARTPHONE DEFENSE
SMARTPHONES
SPAMMING
TRAINING
TUTORIALS
UNISCAN
VIRUS
WEB DEFENSE
WHATWEB
WIFI
WIFI PHISHING
WINDOWS
WRITEUP
LIKE US ON FACEBOOK
TAGS
ANALYSIS
ANDROID
BABEL FONT
BACKDOOR
BOOK
BRUTEFORCING
CEH COURSE
CERTIFICATION
CHINA
CLOUDFLARE
CRUNCH
CYBERDEFENSE
DECRYPT
DECRYPTING
DECRYPTION
DEFUSING
DIY
DNS
DNSMAP
EMAIL
EMAIL FORWARDER
EMAIL SPOOFING
GMAIL
HACK
HACKER
HACKING
HANDSHAKE
HIJACKING
HOW TO HACK
IIS
INFINIX
INFORMATION GATHERING
KAL
KALI
LINSET
LINU
LINUX
MALWARE
OMNI
OS DEFENSE
OTHER
PAKISTAN
PHISHING
RAFAY BALOCH
RAT
REMOTE
SECURITY MISS-CONFIGURATION
SECURITYPEDIA
SMARTPHONE DEFENSE
SMARTPHONES
SPAMMING
TRAINING
TUTORIALS
UNISCAN
VIRUS
WEB DEFENSE
WHATWEB
WIFI
WIFI PHISHING
WINDOWS
WRITEUP
JOIN THE TEAM
POPULAR POSTS

GMAIL ACCOUNT HIJACKING VULNERABILITY | AHMED MEHTAB
Introduction Gmail allows its users from all over the world to use multiple email addresses and associat…

DECRYPT HANDSHAKE USING CRUNCH – KALI LINUX
Handshake Decryption Today you will learn How to decrypt WEP / WPA / WPA2 handshake which you captured in a .cap file indeed the bes…

HOW TO CAPTURE WIFI HANDSHAKE IN KALI LINUX
Handshake is usually a term used to describe the transfer of confidential information between a computer or a device where there is a …

WIFI PHISHING TUTORIAL – KALI LINUX
wifi phishing WiFi Phishing , art of social Engineering. Many people are aware of ” Phishing Attack ” which in terms com…

HOW DANGEROUS IT COULD BE IF YOUR GMAIL ACCOUNT IS HACKED ?
Gmail one of the top email service provider also known as Google Mail , Our today topic is how dangerous could be your gmail account if H…

HOW TO FIND IP ADDRESS BEHIND CLOUDFLARE
CloudFlare one of the most popular firewall mostly used for protecting servers and web applications from DDOS attacks and to improv…

OMNI RAT WHICH CAN TURN YOUR ANDROID PHONE INTO A HACKING MACHINE
RAT ( Remote Administration Tool ) was designed to control and monitor activities of users likely for parents to monitor the activity of the…

SCAN WEBSITE VULNERABILITIES WITH UNISCAN – KALI LINUX
uniscan UNISCAN a popular linux based tool for scanning vulnerabilities in website or web application running on server. Security Pent…

CYBER SECURITY TRAINING IN PAKISTAN – BECOME A PENTESTER FROM YOUR HOME
When we talk about Information Technology , Security matters. worlds leading Multi-National companies like Microsoft , Sony , Google an…

RAFAY BALOCH’S AMAZING BOOK ON PENETRATION TESTING
According to a report published on forbes more than 30,000 websites are hacked per day. Life is changing and security matters , if you w…