Google has fixed a bug in its Gmail account retrieval and password reset process that could have allowed an attacker to fool a user into handing over their details.
The bug, discovered by white-hat hacker Oren Hafif, has since been fixed and was confirmed as a ‘high impact’ vulnerability by Googler Sebastian Roschke on Google +.
While we won’t go into the technical details of how Hafif pulled off the hack, you can see a quick overview of the spear-phishing attack in the video below.
One of the worrying things is that as part of the process, the user is actually directed to a genuine HTTPS Google.com webpage at one point.
While it’s a concern to have any password reset system go awry, it is particularly troubling when it’s also your Gmail password, as with access to your account an attacker could initiate further password resets for any other accounts registered to that address.
On this occasion though, it seems to be one of the good guys that found it first.
➤ Google Account Recovery Vulnerability [Oren Hafif via GrahamCluley.com]
Featured Image Credit – Sean Gallup/Getty Images
Get the TNW newsletter
Get the most important tech news in your inbox each week.