Google Fixes Sneaky Gmail Exploit That Could Leave Any Account Vulnerable To Email Hijacking

Ahmed Mehtab, a student from Pakistan and the CEO of Security Fuse, is in the running to score a $20,000 payday from Google's bug bounty program. While there remains some red tape to clear, Mehtab is likely to receive the bounty for discovering a rather crafty flaw in Gmail relating to its authentication and verification system, one that could make it possible for a remote hacker to hijack a Gmail account.

The vulnerability lies in how Google handles multiple Gmail accounts. A user who has more than one Gmail address can link them and have the primary Gmail account forward email to secondary accounts. If a specific set of conditions exist, it them becomes possible to hijack an email account belonging to someone else. Those conditions include:

• Recipient's SMTP is offline
• Recipient has deactivated his email
• Recipient does not exist or the email ID is invalid
• Recipient exists but has blocked the sender

This is where things get interesting. If an attacker goes into his Gmail settings and tries to add a Gmail address as a secondary Gmail, Google sends an email to that address for verification. Since the email address can't receive the email, it gets bounced back to the sender, or the primary Gmail, with a message that it's undeliverable. However, the bounced email also contains the verification code, which the hacker can input to verify the account.

Check it out: