The security researcher Oren Hafif discover some vulnerable σημεία στη procedure Google password recovery tools that could be used by malicious users to gain access to foreign accounts.
Attacks Phishing on Google are not uncommon, but the expert has managed to discover a very realistic way for such an attack and to use a number of shortcomings he found in the password recovery process.
Three different gaps security have been exploited for this attack: one cross-site request forgery (CSRF), one cross-site scripting (XSS) and one flow bypass.
The expert published an attack scenario spear-phishing. The attacker sends the victim a fake "Account Ownership Confirmation" message that looks very much like a Gmail page.
The email asks the recipient to confirm ownership of the account by providing a username and password by clicking on a link. The connection that exists in the e-mail appears to be a google.com URL, but actually directs the victim to the attacker's website.
This is where the exploitation of vulnerabilities takes place.
Google has corrected vulnerabilities within 10 days of notification and will reward Hafif with 5.100 dollars.
Additional technical details about this attack are available on the Hafif blog.
Watch the video