"Google patched a hole in its Gmail verification system last week that
allowed an attacker to hijack a targeted Google Gmail account.
The discovery was made by Ahmed Mehtab, a security researcher and
founder of Security Fuse. The hack is simple to execute and requires
less than dozen steps to pull off.
The hack exploits an authentication or verification bypass vulnerability
in a Gmail feature that allows you to send email from a second Gmail
account. Mehtab said the attack is “similar to account takeover but here
I — as an attacker — can hijack email addresses by confirming the
ownership of email (account).” Exploiting the hack, an attacker can send
email as if it was being sent from the compromised account. In addition,
the attacker could have email forwarded to the compromised Gmail address.
The hack has one big prerequisite, however. The Gmail account targeted
for hijacking must either be blocking emails sent from the attacker’s
account, or be deactivated or be tied to a nonexistent Gmail account.
Google confirmed with Threatpost both the vulnerability and fixing the
Sumber : https://threatpost.com/clever-gmail-hack-let-attackers-take-over-accounts/121818/