• Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Archives
    Archives Contains a list of blog posts that were created previously.
  • Login
    Login Login form

Gmail Attack Could Hijack Accounts In 12 Easy Steps

Posted by on in Internet Privacy
  • Hits: 3002

Google knows how complicated your online life has become. That’s why they added a feature to Gmail that lets you send email from your other addresses right inside Gmail. “Send as” can be a real convenience, but it turned out that it could also be abused by hackers.

Ahmed Mehtab, founder of Security Fuse, discovered a vulnerability in the system that Gmail uses to verify that a secondary account belongs to a user. All he had to do was trick Gmail’s servers into returning a piece of undeliverable mail.

Once he received the message he needed, Mehtab could chain together a few additional steps. With relative ease he was able to send email as both google@gmail.com and gmail@gmail.com.

Why would anyone want to do that? Because those addresses look authoritative. Phishing emails sent from addresses like those would look like they were official to a lot of users, which would make an attack that much more likely to succeed.

Was Your Gmail Account At Risk?

There are some very specific conditions that had to exist in order for Mehtab to be able to hijack an account. The key is that it only worked for addresses that send email through Gmail’s SMTP servers (like gmail.com, googlemail.com, and google.com). The account also had to be one that had been deactivated or one that had never existed, or one that had blocked the email address from which he was trying to execute the attack.

That last one isn’t as unlikely as it might sound. A well-composed social engineering attack could be sent ahead of time to convince someone to block an address, which would then have allowed Mehtab to take it over.

Keep Calm And Carry On

While Mehtab’s discovery was certainly an alarming one, there’s no need to panic and shut down your Gmail account even if you do have another gmail.com or googlemail.com set up under “send as.” He disclosed the vulnerability to Google on October 20 and they had already patched things up by November 1.

Source : forbes

Rate this blog entry:


airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media