A Pakistani student found a security in the Gmail email service that allows remote attackers to hijack easily any email account hosted on Google’s servers.
Gmail Under Fire
The Pakistani student Ahmed Mehtab has reported a critical vulnerability in the Gmail email hosting solution of Google. His bug report was listed in the Google’s Hall of Fame for contributing such a critical vulnerability in Google’s own bug bounty program – Google Vulnerability Reward Program (VRP).
The security researcher has provided proof and a test case scenario which bypasses the Gmail security mechanisms. According to some analyst reports the bug is quite severe, as it may be possible that it allows remote attackers to hijack every target inbox.
Ahmed has discovered that the method used for user authentication is vulnerable to a security exploit. The consequences of the programming error could mean that the attackers can bypass the basic protection measures and hijack a given inbox.
There are case scenarios where a hijack can be made:
- The recipient of the SMTP client is offline
- The recipient has deactivated access to his email account
- The recipient has an invalid email ID
- The recipient has blocked the sender
The hijacker is carried out by the following procedure
- The attacker tries to confirm ownership of the target email address by quering the Google servers
- Google sends a message of confirmation to the target address
- The email address itself cannot receive the message and thus the email is bounced back to the sender
- The bounced email has the full contents of the original verification code which is relayed to the sender
- The attacker hijacks the verification code and takes ownership of the target address
This quite dangerous as the Gmail account is automatically linked to all other Google services. This hijack strategy can be used by bot nets if they are configured accordingly to launch a massive Gmail attack campaign that can potentially impact thousands of users.
The reported bug was quickly addressed by Google’s security team. Security analysts were quick to acknowledge that the bug bounty program is a major defensive mechanisms against intrusion threats. Such initiatives help alleviate security issues by rewarding the researchers who disclose the bugs to the company. This is probably the reason why most large corporations invest a lot in them.