A researcher in Israel disclosed details on a Google account recovery vulnerability that was recently patched by the company. The attack starts with a spoofed Google phishing email sent to a Gmail user. Once the user tries to reset their password and recover their account, the attacker is in the background receiving the new password and cookie information. Google patched the vulnerability within 10 days and he is in line to receive a bug bounty and another Hall of Fame recognition from Google. The researcher combined cross-site scripting, cross-Site request forgery, and password flow bypass to pull off this hack.
Source: https://threatpost.com/details-on-patched-google-account-recovery-bug-disclosed/103014/