• Google Email Recovery Vulnerability (Removing Secondary E-mail Address -Self Exploit

    by
    [s]
    Published on 12-22-2011 12:59 PM      Number of Views: 1184  
    4 Comments Comments
    #Title: Google Email Recovery Vulnerability (Removing Secondary E-mail Address -Self Exploitation)
    #Author: Sandeep Kamble (www.SandeepKamble.com)
    #Risk Factor: Low (Why low please read below)
    #Attack Type: A User can access B User account Link to remove secondary E-mail address
    #Reported Date: OCT 21 , 2011

    Overview:

    In Google account setting page, when you reset Google account password, it send Reset Password link to your secondary email address. Into that mail there is one more link which can be used remove your secondary email address.

    Vulnerability Description:

    This Vulnerability can be used to remove secondary email address. In this vulnerability we needed to guess ?C variable token to access the any users account link that can be used to remove secondary email address ?C variable token is generating at sever side so that it is not possible to guess this token and so that it can be performed at victim side only. (Self Exploitation)

    Vulnerable Link

    https://www.google.com/accounts/Acco...z_7p8Z4B&hl=en
    Link it has two options, one option is to remove the Secondary and one option to negated email removing operation.
    The above like is accessible to everyone. We cannot generate the token number so we can find the token using

    Google Dork: Inurul : /AccountDisavow?c=

    If you click on the radio button, “No, I didn't create *******@gmail.com - remove my email address, ********@yahoo.com, from this Google Account. “ and then click continue it will remove the email and delete the link token.
    This link will be dead, No one can access it again !

    But if you click on the,” Yes, *******@gmail.com is my Google Account. ” and press continue.
    When u Click on the this radio button the token is not getting deleted, so that may be pages are indexed into Google

    Proof of Concept
    http://dl.dropbox.com/u/18007092/yoyooyoyoyooy.png
    http://dl.dropbox.com/u/18007092/Google%20Dork%20.png

    This bug is not qualified by Google because, i tried my best to manage the token vale of ?C but i am failed to manage it .
    Special thanks to Amol Naik , Anil , veenu bhai

    Warm Regards

    Sandeep Kamble
    www.sandeepkamble.com
    This article was originally published in forum thread: Google Email Recovery Vulnerability (Removing Secondary E-mail Address -Self Exploit started by [s] View original post
    Comments 4 Comments
    1. Snypter's Avatar
      Snypter - 12-22-2011, 08:09 PM


      Doin this is also a great deal doesn't matter it din qualify ... Good work Bro .. i am sure u'll rip some ass next time More power to yu
    1. [s]'s Avatar
      [s] - 12-22-2011, 08:30 PM
      @Snypter my bug lately got Qualified .
    1. [s]'s Avatar
      [s] - 12-22-2011, 08:32 PM
      here is link
      Code:
       http://www.garage4hackers.com/f11/google-email-recovery-vulnerability-removing-secondary-e-mail-address-self-exploit-1842.html
    1. Snypter's Avatar
      Snypter - 12-23-2011, 01:00 PM
      Quote Originally Posted by [s] View Post
      here is link
      Code:
       http://www.garage4hackers.com/f11/google-email-recovery-vulnerability-removing-secondary-e-mail-address-self-exploit-1842.html
      haha COngrats ! u pulled the victory

  • G4H Twitter

  • Latest Posts

    fb1h2s

    IE 6/7 :D , that would work out :D

    IE 6/7 :D , that would work out :D

    fb1h2s Today, 03:32 PM Go to last post
    amolnaik4

    1. how can i get pass this and automatically log...

    1. how can i get pass this and automatically log all the "httponly" cookies from the worldbank.com ?
    -- Well there is no direct way to access "httpOnly" cookies via javascript. That's it's job to...

    amolnaik4 Today, 02:26 PM Go to last post
    amolnaik4

    This is required to work CORS and requirement for...

    This is required to work CORS and requirement for Same Origin Policy. If the protocol/domain/port mismatches, SOP will prevent the communication.

    The "httpOnly" cookies will have no meaning in...

    amolnaik4 Today, 01:58 PM Go to last post
    Punter

    A Guide to Understand Flow Charts 208

    A Guide to Understand Flow Charts

    208

    Punter Today, 01:26 PM Go to last post
    Anant Shrivastava

    Its VirtualBox image only VMware has wierd error...

    Its VirtualBox image only VMware has wierd error running it.

    next release i will see if i can make sure compatibility is maintained right now i support only virtualbox

    FAQ : Android Tamer

    Anant Shrivastava Today, 12:52 PM Go to last post
"; for(var vi=0;vi