Posted in: Blog, Posted On: Jan 20, 2014,Posted By: cyberinfoadmin
Gmail Password Reset Vulnerability Rejected by Google Security Team 2013
As a security researcher in my free time I spend my time on both application and web application security. During one of my researches while I was focusing on auditing Session hijacking attacks on internal networks. So I started working on twitter, Facebook, Yahoo and Google, Google Mail I just surprised I found few issues on all of them! And in this article I want to explain one of my cool findings on Google Plus! Which can be used to completely compromise an account?According to Wikipedia1, Google mail has around 425 million users in June 2012 so any serious vulnerabilities puts millions of users in risk. Finding Google mail reset vulnerability in Google Mail.
To find vulnerabilities you need a target and target selection is very important key in successful vulnerability discovery. After knowing the victims account use forget my password.
So as the most important step randomly entered last Password and dates of creation and then click next
As per Google verification user must enter 5 email ids. From attacker side creates a 5new email ids and send a normal mail to the victim account then we can use tis 5 email ids to reset that particular email.
Enter the email id Google need to contact send the reset token.
Security Researcher Noah Franklin Founded this vulnerability and reported to Google on April 16th 2011
Noah Franklin’s Previous Security Research