Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Google Patches Serious Account Recovery Vulnerabilities

Google Fixes Flaws That Could Have Allowed Hackers to Hijack User Accounts

A researcher got $12,500 from Google for reporting several vulnerabilities in the account recovery process that could have been exploited to change a user’s password.

Google Fixes Flaws That Could Have Allowed Hackers to Hijack User Accounts

A researcher got $12,500 from Google for reporting several vulnerabilities in the account recovery process that could have been exploited to change a user’s password.

Google has started sharing on its Bughunter University website some of the best vulnerability reports received from external researchers. The first report shared by the search giant describes several account recovery security issues that could have been chained together to hijack user accounts.

Many bug bounty hunters have informed Google that they’ve managed to abuse the account recovery process to hijack test accounts. The company pointed out that researchers can hijack their own test accounts because the account recovery process is initiated from a known IP address and browser instance. This is a feature designed to allow users to easily recover their accounts, particularly in cases where the account has been hijacked by a malicious actor.

However, a researcher using the online moniker “Ramzes” identified a series of security bugs in the account recovery process that qualified for Google’s vulnerability reward program (VRP).

The attack described by Ramzes started with a cross-site scripting (XSS) flaw on, specifically the API used by many Google web apps to display help articles inline without the user having to navigate to the Help Center.

Google XSS

This vulnerability allowed an attacker to execute arbitrary code in the context of a help article by specifying a page they controlled in an unsanitized URL parameter. When a victim triggered the exploit, it could have initialized the account recovery process on

In the first stage of the account recovery process, users have to enter their email address on the page. After the attacker enters the target’s email account, the process continues on, where users are asked to enter the last known password.

Advertisement. Scroll to continue reading.

This second form can normally only be submitted via a URL that contains a token obtained after submitting the first form. This token should prevent cross-site request forgery (CSRF) attacks, but Ramzes discovered a way to bypass the protection and simulate a user clicking the “I don’t know” button on the “Enter the last password you remember” page.

The third step in the account recovery process again takes place on the domain. In this phase, the user can instruct Google to reset the password by sending an email to a previously specified secondary email address. Alternatively, if they don’t have access to that email address, users can verify their identity for other recovery options. The exploit described by Ramzes chose the second option, allowing the attacker to have the passwords reset link sent to their own email address.

For the password reset link to be sent to the attacker, a knowledge test must be completed. However, this knowledge test can be “short-circuited” if the attacker can precisely answer a couple of questions on when the account was created and when it was last accessed.

While this information might seem difficult to guess, the researcher discovered that these dates were listed on a page within the domain where the XSS payload was running, allowing an attacker to easily obtain the information, and have the password reset link sent to an email address they specified.

Google said it fixed each of the vulnerabilities exploited in this attack. The company is also working on moving many of its more complex services out of to their own subomain in order to prevent flaws in one service from affecting others.

Ramzes earned $5,000 for the XSS part of his vulnerability report and an additional $7,500 as a bug chain bonus.

Related: Google Pays $25,000 Reward for Critical Chrome Flaw

Related: Google Patches Critical Vulnerabilities in Android

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights