It is not hidden that Google always provide new programmers, ethical hackers and security specialists a chance to demonstrate their skills and also pays them in Google’s Vulnerability Reward program.
Today just to guard clients against different cyber assaults, most of the giant organizations have initiated a bug hunting program. In these programs, successful persons are rewarded with a prize to find any defect or faults in their systems.
As of late, a Pakistani understudy and CEO of Security Fuse named Ahmed Mehtab has been listed in Google’s Hall of Fame for finding a noteworthy flaw in Gmail permitting anybody to hack into any email account.
Qualifying for Google’s VRP is never an easy job however, so it becomes crucial that the flaw/defect is recognized in any of these categories:
- Cross-site scripting,
- Cross-site request forgery,
- Mixed-content scripts,
- Authentication or Authorization defects,
- Server-side code execution bugs
If the Defect/Vulnerability is found to be legitimate , then the specialists can get up to $25,000 from Google. And Ahmed Mehtab is the most recent to win the prize money by Google.
Gmail permits people to set forwarding address so that the emails which users receive are additionally sent to another email address. Ahmed Mehtab said “These two modules are really helpless against authentication or verification bypass. It’s like account takeover, however here I as an hacker can hack into email addresses by affirming the ownership of the email and could utilize it for sending emails.”
Ahmed said in his blog “Security Fuse” that any email could be hacked if it matches any of the accompanying cases-
- Recipients SMTP is offline
- Rrecipient has deactivated his emailIf the recipient does not exist
- If the recipient exists but has blocked us
- Cases could be much more
Ahmed Mehtab also shoed How one can Hack the accounts:
- Assailant attempt’s to affirm ownership for firstname.lastname@example.org
- Google sends an email to email@example.com for confirmation
- firstname.lastname@example.org is not equipped for getting email so it gets bounced back to Google
- Google sends assailant a failure notification in his inbox with the verification code
- Assailant takes that verification code and affirms his ownership to email@example.com
Ahmed Mehtab has also posted a video recorded at the time of vulnerability. However, he said that he was not rewarded for such a serious security issue but instead they just listed him in Google’s Hall of Fame for his contribution.