Oren hafif, a Security researcher discovered a major workflow related bug in gmail account recovery allowing the users to hijack any given GMAIL account. He points out that, GMAIL stands for Global Main Authentication and Identification Library.
This is a type of the password reset vulnerability, in the hacking process attacker have to send an email which looks like an email from an official google account. It’s a simple spear-phishing attack by leveraging a number of flaws i.e Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass.
Upon clicking the link, it redirect users to a page that is linked to https.google.com but in real it leads the victim to the attacker’s website because of CSRF attack with a customized email address.
After completing the information collecting process—attacker has received your new password that you set for your account and cookie information of your account.
You can check out the demonstration video uploaded to YouTube by Oren Hafif