Hacker Discovered A Vulnerability In Gmail That Allows Anyone To Hack Any Email Account

[Sandu]

In order to keep users safe from cyberattacks, several major websites have implemented bug bounty programs to give novice programmers, white hat hackers and security researchers an opportunity to discover and resolve bugs before the general public is aware of them, thereby preventing incidents of widespread abuse.

One such website is Google that invites researchers worldwide to find out flaws in its newest or existing applications, extensions, software and operating system that are available at Google Play, Chrome Web Store and/or iTunes and awards prizes to anyone who finds a legitimate bug which could be exploited. The main objective of these programs is to make Google’s applications and systems more secure and protected.

Recently, Ahmed Mehtab, a Pakistani student and CEO at Security Fuss, was listed in Google’s Hall of Fame for his contribution in Google’s Vulnerability Reward Program (VRP).

In order for Ahmed to qualify for Google’s VRP, it was important that the identified bug or vulnerability falls in any one of the categories mentioned below. If the vulnerability is identified as a valid one, the hacker can expect to receive up to $20,000 by Google as a reward.

⊙ Cross-site scripting

⊙ Cross-site request forgery

⊙ Mixed-content scripts

⊙ Authentication or authorization flaws

Server-side code execution bugs

If a user has more than one email address, Google allows the facility to associate or link all of the addresses and also allows forwarding addresses, to which emails of the primary account can be forwarded to.

Ahmed found a way to prove that these methods adopted by Google were actually vulnerable to authentication or verification bypass, which leads to the hijacking of the email IDs.

However, it is possible only if one of the following cases is true:

Recipient of the SMTP is offline.

If recipient has deactivated his email.

Recipient doesn’t exist or invalid email ID.

The recipient exists but has blocked the sender.

Further, here is how hijacking is carried out:

Attacker tries to confirm ownership of an email address by emailing Google.

Google sends an email to that address for confirmation.

The email address is not capable to receive email and hence, email is bounced back to the actual sender.

The bounced email will contain the verification code.

Attacker takes that verification code and confirms his ownership to that particular address.

This is not the first time when a Pakistani hacker has reported such serious security flaws. Earlier, security researcher Rafay Baloch was paid $5000 as a bug bounty for reporting dangerous flaws in Chrome and FireFox along with $10,000 for revealing a Code Execution/Command Execution vulnerability in PayPal that allowed hackers to execute any command on the server.

Via @Techworm

Edited January 21, 2017 by Sandu
title :(

[Byte-ul]

Ce cacat de titlu clickbait. Pune-l pe ala original.

[underground-market]

SENDERS:
Inbox Webmail (1000 Emails / hour) 
Business Webmail (500Emails/Shoot , Unlimited/Day) 
Inbox Mailer with or without Attachment 
Smtp Servers , Ip and Domains

HOSTINGS:
Windows Hosting (for ScamPages,Deliver Results) 
Shell (compress/Uncompress , Deliver Results) 
FTP 
BulletProof Hosting (2database , 1 Month warantee , Renewal option) 
Linux Hosting (2database , 1 Month warantee , Renewal option) 
Onion Hosting (2database , 1 Month warantee , Renewal option)

EMAIL ADDRESS
Single Domain Leads ,mixed Countryes , updated January 2017 
Worldwide Email Address , mixed Domains , updated January 2017 
Business Email Address , mixed Domains , mostlly webmails , updated January 2017

More products will came ... be watching us !
For more infos please visit www.underground-market.ru
Thank you,
Admin

[ovixresources11]

do you still have these products listed above...what are he cost. i will need good smtp for massive lunching