Results 1 to 6 of 6

Thread: Google Account Password Reset Vulnerability using Mobile Sec Token [ClickJacking] Share/Save - My123World.Com!

  1. #1

    Google Account Password Reset Vulnerability using Mobile Sec Token [ClickJacking]

    #Title: Google Account Password Reset Vulnerability using Mobile Sec Token [ClickJacking]
    #Author: Sandeep Kamble
    #Business Risk : High Risk
    #Attack Type: Click jacking
    #Tested Browser: Firefox 3.6
    #OS: Win 7 / Linux
    #Reported Date: 06-01-2012

    Summery

    I recently reported click jacking vulnerability to Google, involving Google Account Recovery Options Prompt Page where users save mobile number.
    Normally if user Losing access can mean not being able to send mail to friends, not being able to access photos or documents you've created online, and not being able to access any of the information stored on your Google Account. Google provided one unique option to submit mobile number into Google account. In that user recover password by verifying Mobile Sec Token.
    Google says “A mobile phone is one of the easiest and quickest ways to help protect your account. It's more secure than your recovery email address or your security question because you usually have your phone with you.” Oh yeah fast way to get hacked also

    How did it work?

    Google provided mobile number update page, where users can update their mobile number. I noticed on this Google Mobile update page there was missing X-Frame-Options. This is smell of Clickjacking vulnerability.

    Code:
    Vulnerable URL:  https://accounts.google.com/b/0/AccountRecoveryOptionsPrompt?continue=https%3A%2F%2Faccounts.google.com%2Fb%2F0%2FEditPasswd&sarp=1&level=WITHOUT_PHONE



    In short Clickjacking vulnerabilities involves attacker to craft one webpage to initiate request to a web site (Google). This will interact with UI elements on that site and victim will think, he is interacting with another site which is of attacker.

    Proof Of concept


    Example of ClickJacking Crafted Site (Iframe Opacity 0):
    [img]
    http://dl.dropbox.com/u/18007092/google/img2.png [/img]

    Iframe Opacity visible (Here you will get Clear picture):



    When victim will drag the Old crap computer into the trash, he is actually dragging attacker number into the Google Account page. When victim click on the Save or Go button, he is actually click on “Add Phone “on Google Page. After successfully execution the above step, then automatically attacker mobile number is added into the Google Account.
    Now attacker turns, to change the password of victim attacker will use Google Password Recover service where attacker needs to choose the Mobile Option to recover the password.

    The following is the attacker screen.
    Code:
    URL: https://www.google.com/accounts/recovery/recoveryoptions


    When attacker click Continue, Attacker will receive the verification code is a 6-digit number on his mobile number.
    Which is needed to be while reset the password.



    After successfully submission of the password, finally you will see a heaven window which will allow attacker to change the password!

    http://dl.dropbox.com/u/18007092/google/img6.png

    W00t Finally attacker has changed the password using Click jacking vulnerability in Google Account.


    Reference: https://www.owasp.org/index.php/Clickjacking

    Orignal POC Link :

    Code:
    http://f9pix.com/Google%20hy5xoe/click-D22JJJSFSB23KMH3874KNM1HJ.html
    More Description in Video :
    Code:
    http://f9pix.com/Google hy5xoe/Google.flv

    Special Thanks To Amol Naik And G4h Team

    Thanks for Google Security Team to Patch vulnerability in very fast manner

    Sign Out !
    [S]
    Last edited by [s]; 06-26-2012 at 01:45 PM.
    Garage4Hackers bugs for the community , of the community

    We provide IT
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Nice that was a good one , I would rate it critical .
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    Impressive mate....thts a gr8 find...

  4. #4
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    Separate google section made.....Garage4hackers Forum - Google Vulnerabilities

  5. #5
    Garage Newcomer
    Join Date
    Dec 2010
    Location
    Cyberworld
    Posts
    45
    fantastic

    keep on rolling
    ~peace~

  6. #6
    Nice find as usual, keep it up!
    When the way comes to an end, then change - having changed, you pass through

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •