Gmail was one of the most advanced email provider all over the world. Oren Hafif, a security researcher found the vulnerability in Google password reset which provides the access to hack the Gmail account. He uses the spear phishing attack which makes the victim to access the link. This spear phishing attack allows the attacker to gather the personal information of the target user to increase the success rate.
Cross-site request forgery which is abbreviated as CSRF was used for the attack which is also said to be one-click attack or session riding. CSRF is a confused deputy attack against a web browser makes the user to use the link and the check for the cookie existing for the process. Say if the target user is using a bank account and this CSRF attack in a link tends to forward to the bank and withdraw without the user conformation.
The attacker used the account conformation ownership to the target user and in this conformation step and the attack happens on the targeted victim. The following video demonstrates how the Gmail can be hacked using Gmail account reset.
Oren Hafif was rewarded $51,000 from Google of Bug Bounty for providing the vulnerabilities to the Google Security Engineers.