Monday, 24 November 2014

How I was able to send a mail with Your Email Id?

How I was able to send a mail with Your Email Id? Is it possible?

Yes. It is. If you are using Gmail, until yesterday, I can send email with your email id. Do u want to know how?

Read my story then....


Hi Friends,

This is Mohan Kallepalli, again with another bug in gmail...

Thanks to facebook, another day started with frustration. I will tell u that story another time. Anyway, with the frustration on facebook, i turned my focus to my favorite Google one more time. While I was going through the Gmail settings, thanks to my low speed internet, my browser suggested me to use "Basic HTML".

Once i opened my settings in Basic HTML, i went to Accounts section and there i saw the functionality for adding another users email id to your "send email as" list. This functionality is protected by a verification code authentication mechanism. which means, Gmail will send a verification code (9digits) to the target email id and you need to enter that code in your verification page to get the access.

Well, as like as any other tester, i tested the functionality with different wrong codes, then i came to know that the verification code is not expiring untill you use it successfully or a new code is generated again.

So i tried to brute force the last 3digits first. Infact i thought, i'll be locked out if i try multiple times. But to my surprise, after a 216 attempts, i saw different server response for all the requests, with "no error message".

When i refreshed my settings page, i saw the target email was successfully added to my settings. Now all i need to do is, make your email as my default reply address and send mails.....

I tested the issue for last 5digits of the 9, with 5200 requests and broke it. In the same way it is possible to break all the 9digits too with reasonable resources

You can view the same on the following video if you like...



Suggestions and Queries/Corrections are always welcome...


No comments:

Post a Comment