Nowadays just to keep users safe against various cyber attacks, almost every giant company have implemented a bug bounty program in which the successful candidate is rewarded with the prize to discover any flaw or vulnerability in their services. Recently, a Pakistani student and CEO of Security Fuse, Ahmed Mehtab was listed in Google’s Hall of Fame for discovering a major flaw in Gmail which allows anyone to hack any email account. However, qualifying for Google’s VRP is never going to be easy so it becomes vital that the vulnerability/flaw is identified in any of these categories mentioned:
Cross-site scripting, Cross-site request forgery, Mixed-content scripts, Authentication or authorization flaws, Server-side code execution bugs
If the Flaw/Vulnerability seems to be the valid one then the researchers can expect to receive up to $20,000 from Google. Guess what! Ahmed Mehtab is the latest to win the prize money by Google. Gmail allows users to set forwarding address so the emails which users receives are also sent to the another added the email address. Ahmed Mehtab said ” These two modules were actually vulnerable to authentication or verification bypass. It’s similar to account takeover but here I as an attacker can hijack email addresses by confirming the ownership of email and was able to use it for sending emails.” Ahmed Mehtab Said in his blog Security Fuse that any email address could be hacked if it matches any of the following cases-
If recipients SMTP is offline If recipient has deactivated his email If recipient does not exist If recipient exists but has blocked us Cases could be even more
Further, Ahmed Mehtab discussed how the hack is carried out:
Attacker try’s to confirm ownership of [email protected] Google sends email to [email protected] for confirmation [email protected] is not capable of receiving email so email is bounced back to Google Google gives attacker a failure notification in his inbox with the verification code Attacker takes that verification code and confirms his ownership to [email protected]
Ahmed Mehtab also posted a video that was recorded at the time when it was vulnerable. However, he mentioned that he was not awarded for such a serious security issue but they listed him in Google’s Hall Of Fame for his contribution.