Security researcher Oren Hafif recently uncovered a vulnerability that tricks Gmail users into giving away their passwords.
Walking through the Account Recovery process found at https://www.google.com/accounts/recovery/, Hafif discovered the vulnerability.
In Hafif’s blog post, he noted that Google could improve for Cross-Site Request Forgery (CSRF) protection to include consistent use of CAPTCHAs, or those obscure images used to tell bots and humans apart.
An example of a common CAPTCHA
Eventually, Hafif used a phishing email to launch a Cross-site scripting (XSS) attack. In the video below, Hafif demonstrates the exploit from start to finish.
The link in the phishing email first takes you to the hacker’s website, but this probably wouldn’t be noticed by the quick redirect.
The flaw has since been fixed by Google, taking 10 days to remedy according to Hafif.
Reports such as these only serve to confirm that no application is perfectly secure. However, it is still comforting to know there are white-hat researchers that are reporting those affecting major services like Google.
For responsibly disclosing the vulnerability, Hafif will be rewarded under the Google Vulnerability Reward Program (found here).
Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. Follow him on Twitter @joshcannell
LinkedIn recently launched Intro, an iOS app that integrates LinkedIn’s profiles with the iOS mail app, where all incoming emails will display the senders’ LinkedIn profile.
Sounds very useful, especially if you’re looking to grow your network of professional connections. What’s causing a bit of a stir is how it’s implemented and the potential for security holes.
One of the largest threats facing users today is from Phishing attacks, or social engineering attempts at getting the average person to click on a malicious link.
The most common form of phishing comes from email however, another form can come from sources like social media, such as Facebook or Google+, services that typically have anti-spam, phishing and exploit features.
Though with every successful integration of anti-spam, anti-phishing and anti-exploit functionality, the bad guys go right back to the drawing table to find a new way to make your life miserable.
Today is a big day for Apple and their millions of users worldwide who are waiting to hear about the latest features for the new iPhone.
The Cupertino-based company was set to unveil what many hope to be big additions in order to stay in the game and compete against Android.
Meanwhile, the bad guys seem to be more interested in robbing Apple users than rejoicing about the big news of the iPhone 5S.
Phishing emails are being sent en masse to harvest people’s Apple ID. The emails contain links to external phishing websites:
WordPress & Joomla! in the bull’s eye
If you run your own website – but not Blogger and other free ones – chances are it is powered by one of the two most common Content Management Systems (CMS) on the planet: WordPress and Joomla!.
There are very active campaigns making the rounds right now targeting these two platforms. A botnet comprised of nearly 25,000 infected computers is attacking login pages by performing ‘brute-force attacks’.
The Fort Disco botnet tries tens of thousands username/password combinations until a match is found. Once logged in, the bad guys use your website to host phishing, spam or even malware.
At the same time, a critical security flaw has been discovered in Joomla! where an attacker could easily upload a backdoor by simply adding a ‘.’ at the end of the file name.