Google has fixed a security issue in its Gmail password recovery process which could leave users' passwords vulnerable to theft via social engineering.
According to a Thursday blog post by Oren Hafif, the white hat hacker who discovered the bug and demonstrated how to exploit it in a video, Google's security team acted swiftly, fixing the issue in 10 days.
By sending a victim a phishing email, designed to look like a password reset email from Google, an attacker could easily lead users to a malicious URL, setting the stage for exploit.
Hafif showed how a cross-site request forgery (CSRF) attack, followed by a cross-site scripting (XSS) attack, could prompt Google to actually allow users to reset their passwords under the watchful eyes of a saboteur.
