Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Google fixes flaw in Gmail password reset process

Google has fixed a security issue in its Gmail password recovery process which could leave users' passwords vulnerable to theft via social engineering.

According to a Thursday blog post by Oren Hafif, the white hat hacker who discovered the bug and demonstrated how to exploit it in a video, Google's security team acted swiftly, fixing the issue in 10 days.

By sending a victim a phishing email, designed to look like a password reset email from Google, an attacker could easily lead users to a malicious URL, setting the stage for exploit.

Hafif showed how a cross-site request forgery (CSRF) attack, followed by a cross-site scripting (XSS) attack, could prompt Google to actually allow users to reset their passwords under the watchful eyes of a saboteur.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.