Google Fixes Sneaky Gmail Exploit That Could Leave Any Account Vulnerable To Email Hijacking
Ahmed Mehtab, a student from Pakistan and the CEO of Security Fuse, is in the running to score a $20,000 payday from Google's bug bounty program. While there remains some red tape to clear, Mehtab is likely to receive the bounty for discovering a rather crafty flaw in Gmail relating to its authentication and verification system, one that could make it possible for a remote hacker to hijack a Gmail account.
The vulnerability lies in how Google handles multiple Gmail accounts. A user who has more than one Gmail address can link them and have the primary Gmail account forward email to secondary accounts. If a specific set of conditions exist, it them becomes possible to hijack an email account belonging to someone else. Those conditions include:
- Recipient's SMTP is offline
- Recipient has deactivated his email
- Recipient does not exist or the email ID is invalid
- Recipient exists but has blocked the sender
Check it out: