Google:From Privilege Escalation Vulnerability to Full Takeover Account

 

In this Write-Up i’ll explain how i was able to reset password and have full access to any Google user’s account that haven’t security question enabled.

This is the Bug Report i sent to Google Security Team.

I’ve found a huge bug in Gmail.I’ve found a way to have full access to a Gmail account with no victim’s interaction.This bug can be exploited if the victim hasn’t setted the security question.
These are the steps to reproduce the issue:
1)Go to https://www.google.com/accounts/recovery/?hl=en
Click on “I don’t know my password”   Now in the “Email address” form we have to insert the victim’s gmail email address and subsequently click on the “Continue” button
2)Now in the new page in the “Enter the last password you remember” we have to insert a random password (in my case i’ve used 1122334455)  and subsequently click on the “Continue” button.
3)Now in the new page you can see this message “Can’t access any of these recovery options? Verify your identity by answering multiple questions about your account.” so click on the “Verify your identity” link
4)Now in the “Enter an email address where we can contact you if necessary (Required)” form we have to insert the attacker’s gmail email
and in the “Re-enter email address (Required)” we have to insert again the attacker’s gmail email and subsequently click on the “Continue” button.
5)Now in the “Last password you remember (Required)” form we have to insert a random password (in my case i’ve used 1122334455)
In the “When was the last time you were able to sign in to your Google Account? (Required)” we have to choose a random date (in my case i’ve chosen ‘March 1 1991’)
In the “When did you create your Google Account? (Required)” form we have to choose a random date (in my case i’ve chosen ‘March 1991’)
Now click on the “Continue” button.
6)Now in the new page click on the “Skip these questions” button without answering to the questions.
7)Now in the new page click on the “Submit” button.
When we click on the “Submit” button an email will be sent to the attacker gmail email with the link to reset the password of the victim’s gmail email
.Now the attacker has full access to the victim’s profile.With this bug i can reset the Gmail password of all users that have not setted the security question.

The bug has now been fixed.This is the Video PoC

YouTube IconTwitter IconVisit Our Linkedin profile