Google patches ‘high impact’ Gmail account vulnerability in password reset system

Google patches ‘high impact’ Gmail account vulnerability in password reset system

Google has fixed a bug in its Gmail account retrieval and password reset process that could have allowed an attacker to fool a user into handing over their details.

The bug, discovered by white-hat hacker Oren Hafif, has since been fixed and was confirmed as a ‘high impact’ vulnerability by Googler  on Google +.

New York, are you ready?

We’re building Momentum: an all killer, no filler event this November.

While we won’t go into the technical details of how Hafif pulled off the hack, you can see a quick overview of the spear-phishing attack in the video below.

One of the worrying things is that as part of the process, the user is actually directed to a genuine HTTPS Google.com webpage at one point.

While it’s a concern to have any password reset system go awry, it is particularly troubling when it’s also your Gmail password, as with access to your account an attacker could initiate further password resets for any other accounts registered to that address.

On this occasion though, it seems to be one of the good guys that found it first.

➀ Google Account Recovery Vulnerability [Oren Hafif via GrahamCluley.com]

Featured Image Credit – Sean Gallup/Getty Images

Read next: Orange's Libon service now lets you access voicemails, contacts and messages in your desktop browser

Shh. Here's some distraction

Comments