Tech giant Google awards and recognizes individuals who find ambiguities and bug in their applications and systems. As a result, an ethical hacker from Pakistan, Ahmed Mehtab was recently inducted in Google’s Hall of Fame list for his contribution in the Vulnerability Reward Program of Google.
The profile of Ahmed Mehtab was also listed in Google Vulnerability Reward Program Hall of Fame.
Contribution from Ahmed Mehtab
Google does give the users an option of linking email addresses if anyone has more one email address. In addition, Google also provides forwarding addresses, to which emails of the primary account can be forwarded to.
A Pakistani student and a CEO at Security Fuss, Ahmed Mehtab discovered a technique through which these methods were proved to be vulnerable to authentication or verification bypass.
However, it is possible only if any one of the following cases is true IF:
1- Recipient’s Simple Mail Transfer Protocol (SMTP) is offline
2- The recipient has deactivated his email
3- If recipient does not exist
4- Recipient exists but has blocked us
Moreover, the procedure is as following:
a. Attacker tries to confirm ownership of abc@gmail.com
b. In return, Google sends email to abc@gmail.com for confirmation
c. abc@gmail.com is not capable to receive email so sender (attacker) receives the email
d. This bounced email contains the verification code
e. Subsequently, attacker takes that verification code and confirms his ownership to abc@gmail.com
What is Google Vulnerability Reward Program?
The Google Vulnerability Reward Program was initiated with an aim to figure out the bugs and other possible vulnerabilities which are faced by the Google-owned web service. The scope also includes Google-developed apps and extensions published in Google Play, iTunes or Chrome Web Store.
In order to qualify for the vulnerability of the reward program, the bug has to lie in any one of the following categories:
1. Cross-site scripting
2. Cross-site request forgery
3. Mixed-content scripts
4. Authentication or authorization flaws
5. Server-side code execution bugs
Anyone who can find weaknesses in the aforementioned areas will be eligible for the reward. A bug finder can earn up to $20,000 from Google in the shape of monetary reward.
Source: SecurityFuse
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
