Security researcher Oren Hafif demonstrated how to hack a Google Gmail account exploiting a serious flaw in the password reset process. He demonstrated the feasibility of a common spear-phishing attack relying on a number of flaws including Cross-site request forgery (CSRF) and cross-site scripting (XSS) An attacker sends to the targeted account a fake Confirm account ownership email, claiming to come from Google. The link in the email points to an HTTPS google.com URL, but exploiting a CSRF attack with a customized email address it leads the victim to a website controlled by attackers.”]
Source: https://securityaffairs.co/wordpress/19892/hacking/hacking-google-gmail.html