Gmail Password Reset Vulnerability Rejected by Google Security Team 2013

 

 

Gmail Password Reset Vulnerability Rejected by Google Security Team 2013

 

 Introduction



As a security researcher in my free time I spend my time on both application and web application security. During one of my researches while I was focusing on auditing Session hijacking attacks on internal networks. So I started working on twitter, Facebook, Yahoo and Google, Google Mail I just surprised I found few issues on all of them! And in this article I want to explain one of my cool findings on Google Plus! Which can be used to completely compromise an account?

According to Wikipedia1, Google mail has around 425 million users in June 2012 so any serious vulnerabilities puts millions of users in risk. Finding Google mail reset vulnerability in Google Mail. 

Step I:
To find vulnerabilities you need a target and target selection is very important key in successful vulnerability discovery. After knowing the victims account use forget my password.


Step II:
So as the most important step   randomly entered last Password and dates of creation and then click next




Step III:
As per Google verification user must enter 5 email ids. From attacker side creates  a 5new email ids and send a normal mail to the victim account then we can use tis 5 email ids to reset that particular email. 

Step IV:
Enter the email id Google need to contact send the reset token.

Google Unfixed Vulnerability:


Security Researcher Noah Franklin Founded this vulnerability  and reported to Google on April 16th 2011 
 Security Researcher DinaKaran & Noah Franklin Cyber InfoSec Report this Vulnerability on August 22 2013 Later they Fixed Without any Information 


References:   
Noah Franklin’s Previous Security Research  


 

0 comments:

Post a Comment