Blog Details

Posted in: Blog, Posted On: Jan 20, 2014,Posted By: cyberinfoadmin

Gmail Password Reset Vulnerability Rejected by Google Security Team 2013



Introduction


As a security researcher in my free time I spend my time on both application and web application security. During one of my researches while I was focusing on auditing Session hijacking attacks on internal networks. So I started working on twitter, Facebook, Yahoo and Google, Google Mail I just surprised I found few issues on all of them! And in this article I want to explain one of my cool findings on Google Plus! Which can be used to completely compromise an account?According to Wikipedia1, Google mail has around 425 million users in June 2012 so any serious vulnerabilities puts millions of users in risk. Finding Google mail reset vulnerability in Google Mail.


Step I:

To find vulnerabilities you need a target and target selection is very important key in successful vulnerability discovery. After knowing the victims account use forget my password.



Step II:

So as the most important step randomly entered last Password and dates of creation and then click next



Step III:

As per Google verification user must enter 5 email ids. From attacker side creates a 5new email ids and send a normal mail to the victim account then we can use tis 5 email ids to reset that particular email.



Step IV:

Enter the email id Google need to contact send the reset token.




Google Unfixed Vulnerability:

Security Researcher Noah Franklin Founded this vulnerability and reported to Google on April 16th 2011


Security Researcher Noah Franklin From Cyber InfoSec Report this Vulnerability on August 22 2013 Later they Fixed Without any Information


References:

Noah Franklin’s Previous Security Research


http://www.mediafire.com/view/t2p4hn4n43u1hp1/demo_hacking_by_Franklin.doc