Google took an initiative to make their applications and systems more secure by awarding prizes to anyone who found a legitimate bug which could be exploited.

Recently Ahmed Mehtab, a Pakistani student and CEO at Security Fuss, was listed in Google’s Hall of Fame for his contribution in Google’s Vulnerability Reward Program.

Ahmed Mehtab’s profile listed in Google Vulnerability Reward Program Hall of Fame

Ahmed Mehtab’s Contribution

If you have more than one email address, Google allows the facility to associate or link them. Another feature that Google provides forwarding addresses, to which emails of the primary account can be forwarded to.

Ahmed Mehtab found a way to prove that these methods were actually vulnerable to authentication or verification bypass.

It is only possible if one of the following cases is true:

If recipients smtp is offline.

If recipient have deactivated his email.

If recipient does not exist.

If recipient exists but have blocked us.

Furthermore, the procedure is as following:

Attacker try’s to confirm ownership of [email protected]

Google sends email to [email protected] for confirmation.

[email protected] is not capable to receive email so email is bounced back to sender

This bounced email will have the verification code

Attacker takes that verification code and confirms his ownership to [email protected]

About Google’s Vulnerability Reward Program (VRP)

Google started this program to highlight bugs and other hacking vulnerabilities faced by Google-owned web service.

The scope also included Google-developed apps and extensions published in Google Play, iTunes or Chrome Web Store.

For the vulnerability to qualify for VRP, the bug has to lie in one of the following categories:

Cross-site scripting,

Cross-site request forgery,

Mixed-content scripts,

Authentication or authorization flaws,

Server-side code execution bugs.

Whoever highlights the vulnerabilities and creates a guide on how it can be exploited can earn up to $20,000 from Google as a reward.

Via SecurityFuse

An auto and football enthusiast, you can contact Syed Zarar at [email protected] For more discussions, contact him on Facebook (fb.com/TacticallyInept). He tweets at: @TacticallyInept.