Hacking Gmail account, Google account password Hacking tool, Gmail hacking Tool
Oren Hafif, a security researcher has discovered a critical vulnerability in the Password reset process of Google account that allows an attacker to hijack any account.

He managed to trick Google users into handing over their passwords via a simple spear-phishing attack by leveraging a number of flaws i.e. Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass.
Cybersecurity
In a proof of concept video demonstration, the attacker sends his victim a fake "Confirm account ownership" email, claiming to come from Google.

Hacking Gmail account, Google account password Hacking tool, Gmail hacking Tool
The link mention in the mail instructs the recipient to confirm the ownership of the account and urged user to change their password.

Hacking Gmail account, Google account password Hacking tool, Gmail hacking Tool
The link from the email apparently points to a HTTPS google.com URL, but it actually leads the victim to the attacker's website because of CSRF attack with a customized email address.

The Google HTTPS page will will ask the victim to confirm the ownership by entering his last password and then will ask to reset your password.

The Hacker News



But in actuality the hacker has grabbed your new password and cookie information using an XSS attack at this step.

Hacking Gmail account, Google account password Hacking tool, Gmail hacking Tool
Video demonstration:

Hafif informed the Google Security engineers with the details of this serious security vulnerability and Google has now addressed the issues. Google has rewarded Mr. Hafif with $5,100 under their Bug Bounty Program.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.