Ahmed Mehtab, a student from Pakistan and the CEO of Security Fuse, is in the running to score a $20,000 payday from Google's bug bounty program. While there remains some red tape to clear, Mehtab is likely to receive the bounty for discovering a rather crafty flaw in Gmail relating to its authentication and verification system, one that could make it possible for a remote hacker to hijack a Gmail account.
The vulnerability lies in how Google handles multiple Gmail accounts. A user who has more than one Gmail address can link them and have the primary Gmail account forward email to secondary accounts. If a specific set of conditions exist, it them becomes possible to hijack an email account belonging to someone else. Those conditions include:
- Recipient's SMTP is offline
- Recipient has deactivated his email
- Recipient does not exist or the email ID is invalid
- Recipient exists but has blocked the sender
Check it out:
Easy cheesy, right? Indeed, though it appears Google has patched the security hole. We tried this ourselves (with the permission of the person's Gmail account we tried to hijack) and it was no longer working. Still, as far as hacks go, this one was frighteningly easy to pull off before it was patched. It makes you wonder what other security flaws exists that are equally simple to exploit.