Gmail allows its users from all over the world to use multiple email addresses and associate or link them with Gmail also Gmail allows you to set forwarding addresses so the emails which you receive are also sent to the one which you have forwarded. These two modules were actually vulnerable to authentication or verification bypass. It's similar to account takeover but here i as an attacker can hijack email addresses by confirming the ownership of email and was able to use it for sending emails.
Technical Details
If you click on the gear button in Gmail and after you will see two modules there one with a name of " Account and Import " > " Send Mail As " and Forwarding Module was affected. This is a logical vulnerability which allowed me to hijack email addresses from Gmail. Any Gmail address which is associated or connected with Gmails SMTP was vulnerable to this security issue. It could be @gmail.com or @googlemail.com or @googleemail.com etc. We are aware of the fact that Gmail gives us report regarding the mail delivery if email was sent or not, Likely if we send email to any email addresses which dose not exist or is offline Gmail will bounce back a message with a subject of Delivery Status Notification which contains the reason why Gmail actually failed to deliver your email to the recipient.
To hijack any email address there should be any of the following case in order to make it successful
- If recipients smtp is offline
- If recipient have deactivated his email
- If recipient dose not exist
- If recipient exists but have blocked us
- Cases could be even more
In all of the above cases recipient wont be able to receive any email from our addresses and all i needed was a bounced Delivery Notification because Emails which were getting bounced back with a notification stating that your email wasn't delivered for the following reason was also responsible for containing Verification Code and Activation Link with a complete message which was sent for verification to the given address which you want to associate with. Now that verification code could be used to verification and confirm the ownership of the email address, This actually which kills the concept of verification. Same procedure was also applied to Email forwarding module and i also found it vulnerable. All we need is addresses which is not capable to receive emails from our side referring to the cases mentioned above.
In the image shown above you can clearly see how Gmail was bouncing back the email which contains the content forwarded for verification to the recipient and contains link and code for verification to confirm ownership.
There is a scenario where attacker can trick victim in deactivating his account or attacker can also trick victim in blocking his email address so that he may not be able to receive emails from outside and once he dose that we can hijack his email address easily because gmail was bouncing back the email which contains the verification code. Moreover Forwarding section also requires a confirmation which was also affected.
Procedure
- Attacker try's to confirm ownership of xyz@gmail.com
- Google sends email to xyz@gmail.com for confirmation
- xyz@gmail.com is not capable to receive email so email is bounced back to Google
- Google gives attacker a failure notification in his inbox with the verification code
- Attacker takes that verification code and confirms his ownership to xyz@gmail.com
You can clearly see the procedure in the video which was recorded at the time when it was vulnerable
After confirming the ownership i was able to use it likely for sending emails and could be also used as an alias.
Timeline
20 OCT > Reported to Google
20 OCT > Report triggered
1 Nov > Report Acknowledged in Hall of Fame
- https://bughunter.withgoogle.com/characterlist/23
- https://bughunter.withgoogle.com/profile/c0f2a725-a6af-4f6d-af41-67bcbdbe37b2
UPDATE :-
Google have paid me 500$ for finding this vulnerability , this vulnerability was covered by different blogs and news channels. Some of them are listed below which includes Forbes , CNN , Kespersky blog , IB times UK and many more.
- http://www.forbes.com/sites/leemathews/2016/11/08/gmail-attack-could-hijack-accounts-in-12-easy-steps/
- http://www.ibtimes.co.uk/google-patches-gmail-verification-flaw-that-allowed-attackers-take-control-user-accounts-1590394
- https://threatpost.com/clever-gmail-hack-let-attackers-take-over-accounts/121818/
- http://www.ithome.com.tw/news/109567
- www.cnnturk.com/teknoloji/gmailde-hack-skandali
This comment has been removed by the author.
ReplyDeleteYou should have been rewarded, that is a major flaw. Thank you for posting it.
ReplyDeleteNext time sell if for some bitcoin ;)
ReplyDeleteFckin genius
ReplyDeleteI really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you!
ReplyDeleteThe fire hydrant may have huge volume (amperage), but will only push the water a few feet due to it's low pressure (voltage). So when you multiply amps x volts you get the wattage.Omega Fuses
ReplyDeleteThe Southwest Florida climate is very hard on security cameras. The humidity, driving rains, extreme heat, power surges and salty air can cause security cameras or the Digital Video Recorder (DVR) to stop functioning unexpectedly. Unfortunately, Wireless Security Cameras Florida times these problems are not discovered until after an event occurred.
ReplyDeleteAwesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work! hotmail login live sign in
ReplyDeleteIf we have doubts about paying the rent at the end of the month, how can we possibly go after our really big dreams? You gotta feel secure first, right? 메이저놀이터
ReplyDeleteCheap surveillance cameras are not impossible to find; you just have to think outside the box a little bit. security camera installation NY
ReplyDeleteHi! The next time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I know it was my choice to read, but I actually thought youd have something interesting to say. All I hear is a bunch of whining about something that you could fix if you werent too busy looking for attention. https://www.forbrukeretaten.no/
ReplyDeleteKeeping your mobile safe and secure has become one of the key priorities and challenges today. Smartphone owners would rather lose their wallets than their mobile devices find me a security company in
ReplyDelete