Join us at TNW Conference 2022 for insights into the future of tech →

The heart of tech

This article was published on November 22, 2013

Google patches ‘high impact’ Gmail account vulnerability in password reset system

Google patches ‘high impact’ Gmail account vulnerability in password reset system Image by: Sean Gallup
Ben Woods
Story by

Ben Woods

Europe Editor

Ben is a technology journalist with a specialism in mobile devices and a geeky love of mobile spectrum issues. Ben used to be a professional Ben is a technology journalist with a specialism in mobile devices and a geeky love of mobile spectrum issues. Ben used to be a professional online poker player. You can contact him via Twitter or on Google+.

Google has fixed a bug in its Gmail account retrieval and password reset process that could have allowed an attacker to fool a user into handing over their details.

The bug, discovered by white-hat hacker Oren Hafif, has since been fixed and was confirmed as a ‘high impact’ vulnerability by Googler Sebastian Roschke on Google +.

While we won’t go into the technical details of how Hafif pulled off the hack, you can see a quick overview of the spear-phishing attack in the video below.

One of the worrying things is that as part of the process, the user is actually directed to a genuine HTTPS Google.com webpage at one point.

While it’s a concern to have any password reset system go awry, it is particularly troubling when it’s also your Gmail password, as with access to your account an attacker could initiate further password resets for any other accounts registered to that address.

On this occasion though, it seems to be one of the good guys that found it first.

➤ Google Account Recovery Vulnerability [Oren Hafif via GrahamCluley.com]

Featured Image Credit – Sean Gallup/Getty Images

Also tagged with