A ‘high impact’ security bug affecting Gmail’s password recovery system was discovered by a researcher – and quickly patched. The vulnerability allowed attackers to reset user passwords remotely, and near-invisibly.
The vulnerability relied on users opening a phishing email (purporting to be from Google), but allowed attackers to initiate a password reset, security expert Graham Cluley reported.
It was uncovered by researcher Oren Hafifi, and was patched by Google within 10 days according to Cluley’s report.
“If I told you to think of the most sensitive features (security-wise) in a web application, you would probably say – Login,” Hafifi writes.
“Well if your definition of “Login” does not include password recovery, then it would definitely be the second one. This means, that password recovery is often in the center of attention for attackers – and for security professionals.”
Cluley says, “You really are on an HTTPS Google.com webpage – and yet, the hacker is able to grab information about what you enter as your new password, and cookie information related to your account.”
The Next Web commented, “While it’s a concern to have any password reset system go awry, it is particularly troubling when it’s also your Gmail password, as with access to your account an attacker could initiate further password resets for any other accounts registered to that address.”
Google’s Sebastian Roschke said, “We want to thank Oren Hafifi for the high-impact bug he reported in Account Recovery.
Author Rob Waugh, We Live Security