Google could be forged domain mailbox fishing-vulnerability warning-the black bar safety net

2015-03-11T00:00:00
ID MYHACK58:62201559805
Type myhack58
Reporter 佚名
Modified 2015-03-11T00:00:00

Description

!

Recently Google Apps for Work exposed a vulnerability that an attacker can use the vulnerability to falsification of any of the site's domain name mailbox, posing as company employees to the victims, sending phishing mail.

Google domain mail service

如果 你 想 弄 一 个 类似 admin@ooxx.com 的 DIY 邮箱 来 代替 Gmail then you can try in the Google Apps for Work registered an account.

From Google services to obtain a custom domain email address, you'll need to register a gmail account. Once you create the account later, you can through the Google application provides a corresponding interface, the direct operation of your domain name management panel. Of course, only you from at Google to obtain the domain name after authentication to the normal use of the domain names the mailbox service.

Forged domain mailbox fishing

Security researcher Patrik Fehrenbach feature and Behrouz sadeghipour found, the attacker can by Google any register a domain name for the mailbox, as long as it is not in the Google Apps services use.

Under normal circumstances, in your domain name the authentication is completed before the Google 不会 让 你 正常 使用 admin@ooxx.com 之类 的 DIY 邮箱 the. But Google of a page there is a bug: Google on the registration of the domain name Manager regardless of whether or not a domain name authentication, can send a“login instructions”in the Sign in Instructions to domain name mailbox member 比如 info@ooxx.com the.

Prerequisites for is the domain name of the mailbox user must be previously registered, the structure of the url request is as follows:

https://admin.google.com/EmailLoginInstructions?userEmail=info@ooxx.com

[1] [2] next