Gmail Account Hijacking Vulnerability | Ahmed Mehtab

                              Gmail allows its users from all over the world to use multiple email addresses and associate or link them with Gmail also Gmail allows you to set forwarding addresses so the emails which you receive are also sent to the one which you have forwarded. These two modules were actually vulnerable to authentication or verification bypass. It's similar to account takeover but here i as an attacker can hijack email addresses by confirming the ownership of email and was able to use it for sending emails.

Technical Details
                               If you click on the gear button in Gmail and after you will see two modules there one with a name of " Account and Import " > " Send Mail As " and Forwarding Module was affected. This is a logical vulnerability which allowed me to hijack email addresses from Gmail. Any Gmail address which is associated or connected with Gmails SMTP was vulnerable to this security issue. It could be or or etc. We are aware of the fact that Gmail gives us report regarding the mail delivery if email was sent or not, Likely if we send email to any email addresses which dose not exist or is offline Gmail will bounce back a message with a subject of Delivery Status Notification which contains the reason why Gmail actually failed to deliver your email to the recipient.

To hijack any email address there should be any of the following case in order to make it successful
  • If recipients smtp is offline
  • If recipient have deactivated his email
  • If recipient dose not exist
  • If recipient exists but have blocked us
  • Cases could be even more 
In all of the above cases recipient wont be able to receive any email from our addresses and all i needed was a bounced Delivery Notification because Emails which were getting bounced back with a notification stating that your email wasn't delivered for the following reason was also responsible for containing Verification Code and Activation Link with a complete message which was sent for verification to the given address which you want to associate with. Now that verification code could be used to verification and confirm the ownership of the email address, This actually which kills the concept of verification. Same procedure was also applied to Email forwarding module and i also found it vulnerable. All we need is addresses which is not capable to receive emails from our side referring to the cases mentioned above.

In the image shown above you can clearly see how Gmail was bouncing back the email which contains the content forwarded for verification to the recipient and contains link and code for verification to confirm ownership.

There is a scenario where attacker can trick victim in deactivating his account or attacker can also trick victim in blocking his email address so that he may not be able to receive emails from outside and once he dose that we can hijack his email address easily because gmail was bouncing back the email which contains the verification code. Moreover Forwarding section also requires a confirmation which was also affected.

  • Attacker try's to confirm ownership of 
  • Google sends email to for confirmation 
  • is not capable to receive email so email is bounced back to Google
  • Google gives attacker a failure notification in his inbox with the verification code
  • Attacker takes that verification code and confirms his ownership to

You can clearly see the procedure in the video which was recorded at the time when it was vulnerable

After confirming the ownership i was able to use it likely for sending emails and could be also used as an alias. 

20 OCT > Reported to Google
20 OCT > Report triggered
1   Nov  > Report Acknowledged in Hall of Fame 


Google have paid me 500$ for finding this vulnerability , this vulnerability was covered by different blogs and news channels. Some of them are listed below which includes Forbes , CNN , Kespersky blog , IB times UK and many more.

Share on Google Plus

About Ahmed Mehtab

Ahmed Mehtab is a white hat cyber security researcher , speaker , trainer and blogger at security fuse. He loves to research on cyber security issues , cyber crime and hacktivism. Quote " Being a hacker without having knowledge of programming is just like a knife without sharpness ~ Ahmed Mehtab "


  1. This comment has been removed by the author.

  2. You should have been rewarded, that is a major flaw. Thank you for posting it.

  3. Next time sell if for some bitcoin ;)

  4. I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you!

  5. The fire hydrant may have huge volume (amperage), but will only push the water a few feet due to it's low pressure (voltage). So when you multiply amps x volts you get the wattage.Omega Fuses

  6. The Southwest Florida climate is very hard on security cameras. The humidity, driving rains, extreme heat, power surges and salty air can cause security cameras or the Digital Video Recorder (DVR) to stop functioning unexpectedly. Unfortunately, Wireless Security Cameras Florida times these problems are not discovered until after an event occurred.

  7. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work! hotmail login live sign in

  8. If we have doubts about paying the rent at the end of the month, how can we possibly go after our really big dreams? You gotta feel secure first, right? 메이저놀이터

  9. Cheap surveillance cameras are not impossible to find; you just have to think outside the box a little bit. security camera installation NY

  10. Hi! The next time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I know it was my choice to read, but I actually thought youd have something interesting to say. All I hear is a bunch of whining about something that you could fix if you werent too busy looking for attention.

  11. Keeping your mobile safe and secure has become one of the key priorities and challenges today. Smartphone owners would rather lose their wallets than their mobile devices find me a security company in


Hi , Please take a minute to say somthing about this post