A security researcher named Oren Hafif found a vulnerability in the gmail accounts that could allow an attacker to hijack any email account.

This is a type of the password reset vulnerability, in the hacking process attacker have to send an email which looks like an email from an official google account.

It’s a simple spear-phishing attack by leveraging a number of flaws i.e Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass.

In the mail, it says-“Please confirm account ownership by clicking on this link:”

Hackers email

Upon clicking the link, it redirect users to a page that is linked to but in real it leads the victim to the attacker’s website because of CSRF attack with a customized email address.

In that page you have to enter, the last password you remember and a new password:

confirmation gmail

After completing the information collecting process—attacker has received your new password that you set for your account and cookie information of your account:

hacked success

Meanwhile, you can check out the demonstration video uploaded to YouTube by Oren Hafif:



This site uses Akismet to reduce spam. Learn how your comment data is processed.