Security Experts:

Google Patches Serious Account Recovery Vulnerabilities

Google Fixes Flaws That Could Have Allowed Hackers to Hijack User Accounts

A researcher got $12,500 from Google for reporting several vulnerabilities in the account recovery process that could have been exploited to change a user’s password.

Google has started sharing on its Bughunter University website some of the best vulnerability reports received from external researchers. The first report shared by the search giant describes several account recovery security issues that could have been chained together to hijack user accounts.

Many bug bounty hunters have informed Google that they’ve managed to abuse the account recovery process to hijack test accounts. The company pointed out that researchers can hijack their own test accounts because the account recovery process is initiated from a known IP address and browser instance. This is a feature designed to allow users to easily recover their accounts, particularly in cases where the account has been hijacked by a malicious actor.

However, a researcher using the online moniker “Ramzes” identified a series of security bugs in the account recovery process that qualified for Google’s vulnerability reward program (VRP).

The attack described by Ramzes started with a cross-site scripting (XSS) flaw on google.com, specifically the API used by many Google web apps to display help articles inline without the user having to navigate to the Help Center.

Google XSS

This vulnerability allowed an attacker to execute arbitrary code in the context of a help article by specifying a page they controlled in an unsanitized URL parameter. When a victim triggered the exploit, it could have initialized the account recovery process on google.com.

In the first stage of the account recovery process, users have to enter their email address on the google.com/accounts/recovery page. After the attacker enters the target’s email account, the process continues on accounts.google.com, where users are asked to enter the last known password.

This second form can normally only be submitted via a URL that contains a token obtained after submitting the first form. This token should prevent cross-site request forgery (CSRF) attacks, but Ramzes discovered a way to bypass the protection and simulate a user clicking the “I don’t know” button on the “Enter the last password you remember” page.

The third step in the account recovery process again takes place on the google.com domain. In this phase, the user can instruct Google to reset the password by sending an email to a previously specified secondary email address. Alternatively, if they don’t have access to that email address, users can verify their identity for other recovery options. The exploit described by Ramzes chose the second option, allowing the attacker to have the passwords reset link sent to their own email address.

For the password reset link to be sent to the attacker, a knowledge test must be completed. However, this knowledge test can be “short-circuited” if the attacker can precisely answer a couple of questions on when the account was created and when it was last accessed.

While this information might seem difficult to guess, the researcher discovered that these dates were listed on a page within the domain where the XSS payload was running, allowing an attacker to easily obtain the information, and have the password reset link sent to an email address they specified.

Google said it fixed each of the vulnerabilities exploited in this attack. The company is also working on moving many of its more complex services out of google.com to their own subomain in order to prevent flaws in one service from affecting others.

Ramzes earned $5,000 for the XSS part of his vulnerability report and an additional $7,500 as a bug chain bonus.

Related: Google Pays $25,000 Reward for Critical Chrome Flaw

Related: Google Patches Critical Vulnerabilities in Android

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.