Gmail password login security issue quickly fixed

Gmail password login security issue quickly fixed

When we forget our Gmail login we tend to use the Gmail password recovery system, this allows us to get an email that in the end gives us access to our Google emails. But, there was a massive security hole in its Gmail email service that was in the end fixed by Google within 10 days.

Hacker Oren Hafif found a huge security issue, who mentioned that the involved Gmail’s password recovery system.

Hafif said over on his blog “(I)f someone got access to your Gmail account, he can ‘password recover’ his way to any other web/mobile application out there,” and this is indeed true, someone who is potentially an aggressor could indeed send a phishing email tailored with the target Gmail user’s email address in the URL, with the link referring to a site inhibited by the attacker.

Google fixed this security flaw in 10 days, stealing the Google Gmail password looks like a normal phishing email, and this is where it all starts. In reality the link takes the Gmail victim to a hackers controlled website.

In a nutshell when users use the Gmail password recovery the hackers site will execute a cross-site forgery (CSRF), and then it launches what is called as a cross-site scripting (XSS) attack and it is this that fooled Google into believing the user wanted a password reset because they had problems with their Gmail login.

Before anyone asks, Hafif is not a bad guy in all this, he is the one doing the good, and he was the one who informed Google.

Have you had Gmail login problems after requesting a password recovery reset?

  • gregory segarra

    I want to login