Google Fixes Sneaky Gmail Exploit That Could Leave Any Account Vulnerable To Email Hijacking


Ahmed Mehtab, a student from Pakistan and the CEO of Security Fuse, is in the running to score a $20,000 payday from Google's bug bounty program. While there remains some red tape to clear, Mehtab is likely to receive the bounty for discovering a rather crafty flaw in Gmail relating to its authentication and verification system, one that could make it possible for a remote hacker to hijack a Gmail account.

The vulnerability lies in how Google handles multiple Gmail accounts. A user who has more than one Gmail address can link them and have the primary Gmail account forward email to secondary accounts. If a specific set of conditions exist, it them becomes possible to hijack an email account belonging to someone else. Those conditions include:
  • Recipient's SMTP is offline
  • Recipient has deactivated his email
  • Recipient does not exist or the email ID is invalid
  • Recipient exists but has blocked the sender
This is where things get interesting. If an attacker goes into his Gmail settings and tries to add a Gmail address as a secondary Gmail, Google sends an email to that address for verification. Since the email address can't receive the email, it gets bounced back to the sender, or the primary Gmail, with a message that it's undeliverable. However, the bounced email also contains the verification code, which the hacker can input to verify the account.

Check it out:

Easy cheesy, right? Indeed, though it appears Google has patched the security hole. We tried this ourselves (with the permission of the person's Gmail account we tried to hijack) and it was no longer working. Still, as far as hacks go, this one was frighteningly easy to pull off before it was patched. It makes you wonder what other security flaws exists that are equally simple to exploit.