Security researcher Oren Hafif recently uncovered a vulnerability that tricks Gmail users into giving away their passwords.
Walking through the Account Recovery process found at https://www.google.com/accounts/recovery/, Hafif discovered the vulnerability.
In Hafif’s blog post, he noted that Google could improve for Cross-Site Request Forgery (CSRF) protection to include consistent use of CAPTCHAs, or those obscure images used to tell bots and humans apart.
An example of a common CAPTCHA
Eventually, Hafif used a phishing email to launch a Cross-site scripting (XSS) attack. In the video below, Hafif demonstrates the exploit from start to finish.
The link in the phishing email first takes you to the hacker’s website, but this probably wouldn’t be noticed by the quick redirect.
The flaw has since been fixed by Google, taking 10 days to remedy according to Hafif.
Reports such as these only serve to confirm that no application is perfectly secure. However, it is still comforting to know there are white-hat researchers that are reporting those affecting major services like Google.
For responsibly disclosing the vulnerability, Hafif will be rewarded under the Google Vulnerability Reward Program (found here).
Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. Follow him on Twitter @joshcannell
Websites, whether they are personal ones or belong to large corporations and governments, are constantly under attack.
Even when web administrators do their best to secure their properties from remote-file inclusions, malicious shell uploads, SQL injection or brute force attacks to name a few, they are still susceptible to threats that are out of their control.
Google recently stepped in to provide website protection services that include Distributed Denial of Service attacks mitigation as well as other types of attacks aimed at blocking politically sensitive websites.
The program, dubbed Project Shield is now open as an invite-only service and is free (for now).
Image courtesy of http://www.digitalattackmap.com/
Two of the biggest security concerns for smartphone users are losing your device and having it stolen–they’re pocket-sized and can be easily misplaced or grabbed by the wrong hands.
Ok, so some of them aren’t really pocket-sized any longer, but smartphones have become a huge part of our lives and we store a huge amout of our personal data on them. If we lose track of them, we tend to panic, although often they are just misplaced at home.
However, sometimes they do wind up in the wrong hands.
Android has been in the news a lot recently, many times not for the reason’s Google would like, but malware has boomed on Android since 2010 and doesn’t seem to be letting up anytime soon.
With all the malware out there, you can still stay safe, Google has heard the same buzz you have and have made changes to its operating system to help protect you.
But, Google is taking the necessary steps to keep their users safe and making security improvements on Android to help to keep malware off your phone and tablet.