researcher got $12,500 from Google for reporting several
vulnerabilities in the account recovery process that could have been
exploited to change a user’s password.
has started sharing on its Bughunter University website some of the
best vulnerability reports received from external researchers. The first
report shared by the search giant describes several account recovery
security issues that could have been chained together to hijack user
Many bug bounty hunters have informed Google that they’ve managed to abuse the account recovery process to hijack test accounts.
The company pointed out that researchers can hijack their own test
accounts because the account recovery process is initiated from a known
IP address and browser instance. This is a feature designed to allow
users to easily recover their accounts, particularly in cases where the
account has been hijacked by a malicious actor.
a researcher using the online moniker “Ramzes” identified a series of
security bugs in the account recovery process that qualified for
Google’s vulnerability reward program (VRP).
attack described by Ramzes started with a cross-site scripting (XSS)
flaw on google.com, specifically the API used by many Google web apps to
display help articles inline without the user having to navigate to the
vulnerability allowed an attacker to execute arbitrary code in the
context of a help article by specifying a page they controlled in an
unsanitized URL parameter. When a victim triggered the exploit, it could
have initialized the account recovery process on google.com.
In the first stage of the account recovery process, users have to enter their email address on the google.com/accounts/recovery page. After the attacker enters the target’s email account, the process continues on accounts.google.com, where users are asked to enter the last known password.
second form can normally only be submitted via a URL that contains a
token obtained after submitting the first form. This token should
prevent cross-site request forgery (CSRF) attacks, but Ramzes discovered
a way to bypass the protection and simulate a user clicking the “I
don’t know” button on the “Enter the last password you remember” page.
The third step in the account recovery process again takes place on the google.com
domain. In this phase, the user can instruct Google to reset the
password by sending an email to a previously specified secondary email
address. Alternatively, if they don’t have access to that email address,
users can verify their identity for other recovery options. The exploit
described by Ramzes chose the second option, allowing the attacker to
have the passwords reset link sent to their own email address.
the password reset link to be sent to the attacker, a knowledge test
must be completed. However, this knowledge test can be “short-circuited”
if the attacker can precisely answer a couple of questions on when the
account was created and when it was last accessed.
this information might seem difficult to guess, the researcher
discovered that these dates were listed on a page within the domain
where the XSS payload was running, allowing an attacker to easily obtain
the information, and have the password reset link sent to an email
address they specified.
it fixed each of the vulnerabilities exploited in this attack. The
company is also working on moving many of its more complex services out
of google.com to their own subomain in order to prevent flaws in one
service from affecting others.
Ramzes earned $5,000 for the XSS part of his vulnerability report and an additional $7,500 as a bug chain bonus.