News about domain hijackings came to light in the last weeks. The commonality was that all victims were using Google Mail as the primary email address of their websites. Yesterday a proof of concept for a Gmail security flaw was posted at the Geek Condition blog which explains how the attacker was able to hijack the domain names.
The attacker basically set filters in Gmail to forward emails from the domain registrar to another email account. To ensure that the account owner would not notice the mails they were set to be deleted afterwards.
Most domain registrars offer web forms that can be used to retrieve account information. Godaddy for instance provides web forms to retrieve the username and reset the password of an account. They do send out emails to the primary email account. Those emails are however forwarded and deleted so that they can only be accessed by the attacker.
The two emails will contain the account's username and a new password which can be used to log into the account and initiate a domain transfer to another registrar.
The exploit makes use of a specially prepared website to steal the Google Mail cookie from the user to set the filter in an hidden iframe. This is why the account owners were never logged out of their account by the attacker. He never had physical access to the account. But the filter was enough to hijack the domains.
Gmail users should regularly check their Filters to make sure that none exist that have not been added by them. A better solution would be to retrieve the emails from a desktop email client like Thunderbird or Microsoft Outlook instead.No word yet from the Google Mail team about the vulnerability.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.