The security researcher Oren Hafif discover some vulnerable σημεία στη διαδικασία ανάκτησης κωδικού πρόσβασης της Google που θα μπορούσαν να χρησιμοποιηθούν από κακόβουλους users to access foreign accounts.
Attacks Phishing on Google are not unusual, but the expert managed to discover a very realistic way for such attack and use a number of flaws it identified in the password recovery process.
Three different ones security gaps have been exploited for this attack: one cross-site request forgery (CSRF), one cross-site scripting (XSS) and one flow bypass.
The expert published an attack scenario spear-phishing. The attacker sends the victim a fake "Account Ownership Confirmation" message that looks very much like a Gmail page.
The email asks the recipient to confirm the ownership of the account by providing username and password by clicking on a link. The link in the email appears to be a google.com URL, but it actually leads the victim to the attacker's website.
This is where the exploitation of vulnerabilities takes place.
Google has corrected vulnerabilities within 10 days of notification and will reward Hafif with 5.100 dollars.
Additional technical details about this attack are available on the Hafif blog.
Watch the video