This is a type of the password reset vulnerability, in the hacking process attacker have to send an email which looks like an email from an official google account.
It’s a simple spear-phishing attack by leveraging a number of flaws i.e Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass.
In the mail, it says-“Please confirm account ownership by clicking on this link:”
Upon clicking the link, it redirect users to a page that is linked to https.google.com but in real it leads the victim to the attacker’s website because of CSRF attack with a customized email address.
In that page you have to enter, the last password you remember and a new password:
After completing the information collecting process—attacker has received your new password that you set for your account and cookie information of your account:
Meanwhile, you can check out the demonstration video uploaded to YouTube by Oren Hafif: