Now it can be told. Google has fixed a potentially serious security hole in its Gmail email service, after a security researcher discovered the flaw.
The Internet giant fixed the flaw within 10 days of being informed by white-hat hacker Oren Hafif, who said the bug involved Gmail's password recovery mechanism.
"(I)f someone got access to your Gmail account, he can 'password recover' his way to any other web/mobile application out there," Hafif said in a blog post.
Hafif said an attacker can send a phishing email customized with the target Gmail user's email address in the URL, with the link referring to a site controlled by the attacker.
But he said Google's team acted swiftly, fixing the matter in 10 days.
"Google security team acted really fast. This issue was fixed in 10 days," he said.
Security researcher Graham Cluley noted the process of stealing the Google password starts with a "fairly normal looking phishing email, claiming to come from Google."
But the link really takes the intended victim to a website under the hacker’s control.
Cluley said the hacker's site quickly performs a Cross-site request forgery (CSRF), "launching a cross-site scripting (XSS) attack which fools Google into believing that the user has requested a password reset, as if they were having trouble logging in."
"Fortunately, Hafif is one of the good guys rather than a malicious attacker, and so he informed Google of the serious security hole," he said. — TJD, GMA News
source: gmanetwork.com
