“that password recovery is often in the center of attention for attackers – and for security professionals.” reported Oren.
” The link should actually refer to an attacker’s site (and it does):http://www.orenh.com/test.html#[email protected]” The attacker’s site performs a CSRF with the customized email address, and once completed – launches the XSS exploit. The code might look like this:” said Oren.
“the code above, reads a Hash parameter (“Email”) for the victim’s email. It creates an invisible image and puts an “initialize password recovery” link as its source.After the request is processed, an Error event is thrown (since this is not really an image).”
At this point the hacker has grabbed victim new password and cookie information with an XSS attack.
“The onError handler now redirects to the XSS’d URL, The user clicks “Reset Password”… and from here the sky is the limit.”
The researcher published a proof of concept video to demonstrate the attack:
Hafif reported the flaw to the Google Security department and Google has promptly fixed the issues assigning a reward of $5,100 under their Bug Bounty Program.