Feeds

'High impact' Gmail password security hole blew accounts wide open

Payday for researcher who spotted webmail programming gaffe

Internet Security Threat Report 2014

Vid Google has fixed a "high impact" security bug in Gmail's password reset system that could have left any account wide open to a crafty hijacker.

The flaw, spotted by security researcher Oren Hafif, was exploited by sending a spoofed email that reminds the Gmail user that it's time to reset their password. Clicking on the link sends the user to a website that masquerades as a Google page and asks for the user for a new password. That hacker-controlled site also initiates a cross-site request forgery attack via XSS that tricks Google into handing over the victim's login cookie.

"I want you to be honest and agree that if Google says that 'you've confirmed ownership' of your Google Account, and asks you to choose a new password you will not do so? At least your auntie would!" Hafif said in a blog post explaining the attack.

The spoof site can shift the user to a secure Google web page, but by this point, the attacker will have harvested the username, new password and the login cookie for the account. Once inside, they would also get free rein to change passwords on other services associated with that Gmail email address.

Hafif says he alerted Google to the issue and the Chocolate Factory fixed it within 10 days and confirmed he will receive a payment under its bug bounty program, although Google isn't saying how much it is giving him.

Youtube video of the Gmail exploit

Hafif, who'll earn a bounty for reporting the flaw, has also uploaded a video, see above, showing how the attack takes place, backed by some Euro happy house (Can't slow down by Nicco and Bastian Bates, ahem) that will have you reaching for the glowsticks and green lasers and gurning in sympathy. ®

Choosing a cloud hosting partner with confidence

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.