{"id":117,"date":"2014-06-10T12:24:40","date_gmt":"2014-06-10T10:24:40","guid":{"rendered":"https:\/\/hacksecproject.com\/?p=117"},"modified":"2018-11-23T17:01:06","modified_gmt":"2018-11-23T17:01:06","slug":"googlefrom-privilege-escalation-vulnerability-to-full-takeover-account","status":"publish","type":"post","link":"https:\/\/hacksecproject.com\/?p=117","title":{"rendered":"Google:From Privilege Escalation Vulnerability to Full Takeover Account"},"content":{"rendered":"

In this Write-Up i’ll explain how i was able to reset password and have full access to any Google user’s account that haven’t security question enabled.<\/p>\n

This is the Bug Report i sent to Google Security Team.<\/p>\n

I’ve found a huge bug in Gmail.I’ve found a way to have full access to a Gmail account with no victim’s interaction.This bug can be exploited if the victim hasn’t setted the security question.<\/p>\n

These are the steps to reproduce the issue:
\n1)Go to https:\/\/www.google.com\/accounts\/recovery\/?hl=en
\nClick on “I don’t know my password”\u00a0\u00a0 Now in the “Email address” form we have to insert the victim’s gmail email address and subsequently click on the “Continue” button
\n2)Now in the new page in the “Enter the last password you remember” we have to insert a random password (in my case i’ve used 1122334455)\u00a0 and subsequently click on the “Continue” button.
\n3)Now in the new page you can see this message “Can’t access any of these recovery options? Verify your identity by answering multiple questions about your account.” so click on the “Verify your identity” link
\n4)Now in the “Enter an email address where we can contact you if necessary (Required)” form we have to insert the attacker’s gmail email
\nand in the “Re-enter email address (Required)” we have to insert again the attacker’s gmail email and subsequently click on the “Continue” button.
\n5)Now in the “Last password you remember (Required)” form we have to insert a random password (in my case i’ve used 1122334455)
\nIn the “When was the last time you were able to sign in to your Google Account? (Required)” we have to choose a random date (in my case i’ve chosen ‘March 1 1991’)
\nIn the “When did you create your Google Account? (Required)” form we have to choose a random date (in my case i’ve chosen ‘March 1991’)
\nNow click on the “Continue” button.
\n6)Now in the new page click on the “Skip these questions” button without answering to the questions.
\n7)Now in the new page click on the “Submit” button.
\nWhen we click on the “Submit” button an email will be sent to the attacker gmail email with the link to reset the password of the victim’s gmail email
\n.Now the attacker has full access to the victim’s profile.With this bug i can reset the Gmail password of all users that have not setted the security question.<\/p>\n

The bug has now been fixed.This is the Video PoC<\/p>\n