Introduction Gmail allows its users from all over the world to use multiple email addresses and associate or link them with Gmail also Gmail allows you to set forwarding addresses so the emails which you receive are also sent to the one which you have forwarded. These two modules were actually vulnerable to authentication or verification bypass. It’s similar to account takeover but here i as an attacker can hijack email addresses by confirming the ownership of email and was able to use it for sending emails.
If you click on the gear button in Gmail and after you will see two modules there one with a name of ” Account and Import ” > ” Send Mail As ” and Forwarding Module was affected. This is a logical vulnerability which allowed me to hijack email addresses from Gmail. Any Gmail address which is associated or connected with Gmails SMTP was vulnerable to this security issue. It could be @gmail.com or @googlemail.com or @googleemail.com etc. We are aware of the fact that Gmail gives us report regarding the mail delivery if email was sent or not, Likely if we send email to any email addresses which dose not exist or is offline Gmail will bounce back a message with a subject of Delivery Status Notification which contains the reason why Gmail actually failed to deliver your email to the recipient.
To hijack any email address there should be any of the following case in order to make it successful
If recipients smtp is offline
If recipient have deactivated his email
If recipient dose not exist
If recipient exists but have blocked us
Cases could be even more
In all of the above cases recipient wont be able to receive any email from our addresses and all i needed was a bounced Delivery Notification because Emails which were getting bounced back with a notification stating that your email wasn’t delivered for the following reason was also responsible for containing Verification Code and Activation Link with a complete message which was sent for verification to the given address which you want to associate with.Now that verification code could be used to verification and confirm the ownership of the email address, This actually which kills the concept of verification. Same procedure was also applied to Email forwarding module and i also found it vulnerable. All we need is addresses which is not capable to receive emails from our side referring to the cases mentioned above.
In the image shown above you can clearly see how Gmail was bouncing back the email which contains the content forwarded for verification to the recipient and contains link and code for verification to confirm ownership.
There is a scenario where attacker can trick victim in deactivating his account or attacker can also trick victim in blocking his email address so that he may not be able to receive emails from outside and once he dose that we can hijack his email address easily because gmail was bouncing back the email which contains the verification code. Moreover Forwarding section also requires a confirmation which was also affected.
Attacker try’s to confirm ownership of email@example.com
Google sends email to firstname.lastname@example.org for confirmation
email@example.com is not capable to receive email so email is bounced back to Google
Google gives attacker a failure notification in his inbox with the verification code
Attacker takes that verification code and confirms his ownership to firstname.lastname@example.org
You can clearly see the procedure in the video which was recorded at the time when it was vulnerable
After confirming the ownership i was able to use it likely for sending emails and could be also used as an alias.
20 OCT > Reported to Google
20 OCT > Report triggered
1 Nov > Report Acknowledged in Hall of Fame
One of the sad part in this research is that, i was not rewarded for such a serious security issue but they acknowledged my research and listed me in Hall of fame.