HACKING GMAIL

HACKING HUNDRED'S OF GMAIL ACCOUNTS

I found a bug in the security of google accounts. I reported this to google but according to their policy it didn't qualify as a security issue from their side so I thought of sharing the Vulnerability with Hacking Tweaks family.

Whom Does this Vulnerability Target ?

The users affected are ones who give their alternative e-mail address from some sites which provide temporary e-mail addresses such as www.yopmail.com, https://www.guerrillamail.com/,http://10minutemail.com/10MinuteMail/index.html , http://getairmail.com/ ,http://www.mailinator.com/ 


How to Check for the Vulnerability ?

The following steps can be followed to check the entire process:
1.Go to https://mail.google.com .

2.Click on "Can't access my account".

3.Click on "I don't know my username".

4.Now type any username like recovery e-mail address like "xx@yopmail.com","lol@yopmail.com","haha@yopmail.com").

5.Now go to yopmail.com(or any of the above mentioned sites) and and fill in the same above typed name like xx, haha,lol in the box on the left side and click "check for mails".

6.There you will see a mail from google with the username of the person whose account was associated with the xx@yopmail.com. If there was no associated mail, then it would show that no username found in database.

7.Now that you have the username, go again to gmail.com and click on "i forgot my password"and enter the username and then enter the recovery mail which is xx@yopmail.com.

8.Now check for new mail in yopmail.com from gmail which contains password recovery mail.

9.Reset the password and vulnerability is exploited !

p.s. not all accounts of gmail are vulnerable to it, but many of them surely are as thousands of people use these temporary sites to give recovery mail.

Patching : I think google should make these temporary mail sites as exceptions in their database when user is entering the recovery mail.