Three types of vulnerabilities could have been exploited for spear phishing attacks

Nov 22, 2013 10:32 GMT  ·  By

Security researcher Oren Hafif has identified a number of vulnerabilities in Google’s password recovery process that could have been utilized by cybercriminals to hijack accounts.

Google phishing attacks are not uncommon, but the expert has managed to find a way to make such an attack very realistic-looking by leveraging a number of flaws identified in the password recovery process.

Three types of security holes have been exploited for this attack: cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass.

As an example, the expert has come up with a spear-phishing attack scenario. The attacker sends his victim a fake “Confirm account ownership” email from an official-looking Gmail account.

The email instructs the recipient to confirm ownership of the account by clicking on a link and changing his/her password. The link from the email apparently points to a google.com URL, but it actually leads the victim to the attacker’s website.

This is the point where the vulnerabilities are exploited. The cybercriminal’s website is set up to perform a CSRF attack with a customized email address.

Then, the XSS exploit is triggered allowing the attacker to capture the information entered by the victim once he/she presses the Reset Password button. Interestingly, the XSS filter in Google Chrome doesn’t block the attack.

Google has addressed the issues 10 days after being notified. The company will reward Hafif with $5,100 (€3,780) for his work and will add his name once again to its Application security hall of fame.

Additional technical details on this attack are available on Hafif’s blog. You can also check out this video, which shows how such an attack works: