Did you successfully hijack a Google account, pretending to be an attacker?
Let’s start with a bit of background on some of the different kinds of issues you might have noted when abusing the 'forgot password' functionality:
- The questions Google asked you during the recovery process were too easy to guess.
Background: If, based on multiple signals, we're confident that it’s the original owner who is trying to recover their own account, the questions we ask are easier than when we suspect an attacker is trying to compromise the account.
- You were asked only a few questions before getting access to an account.
Background: We ask only a few questions if we're confident (based on multiple signals) that the user is not an attacker, but the original owner. Attackers would have a much harder time.
- You were given access to the account, although your answers to questions were incorrect.
Background: It turns out that people make mistakes, even when recovering their own accounts. When multiple other signals in the recovery process indicate that you're the original owner, we can turn a blind eye to an invalid response. Rest assured that this would never be the case for an attacker.
Regardless of the exact issue you exploited, the answer to the following question helps you determine if what you found is really a bug: Was the account you hijacked previously accessed from the same browser/computer/IP address that was used for the attack?
- If the answer is yes, account recovery is working as intended and this is not a bug. After all, you should be able to recover accounts that you created.
It might seem surprising at first, but there are many different signals that are evaluated during the account recovery process before access is allowed. Some of these signals are difficult to properly assess in small-scale testing and it often appears that gaining access to someone else’s account is easier for the attacker than it actually is.
- If the answer is no, this could be a bug. Please proceed as follows:
- Check the known issues regarding account recovery. Why? Most of the security reports about the 'forgot password' functionality turn out to be invalid due to the reasons mentioned on the linked page.
- Ensure you have gotten the details right and can consistently reproduce the issue; this is a vital part of the security report you need to submit.
- If you are confident that these conditions are fulfilled, please report the vulnerability and we'll be in touch shortly. Thanks a lot!