Google’s skin saved again by vigilant security expert.
A Gmail bug put the email address of every user at risk of being harvested or hacked, according to security auditor Oren Hafif.
The vulnerability, which has recently been patched, exposed both consumer and corporate clients, making them vulnerable to account takeovers, phishing attacks, and spam, as well as potential account theft on other sites because of password reuse.
Writing half-jokingly, Hafif said: "GMAIL is the Global Main Authentication and Identification Library. It is used everywhere from sites like Facebook and Twitter to online banking. Owning your Gmail account is a hacker’s dream – because it means all other accounts are now in reach."
The exploit he discovered made use of the "delegate" feature in Gmail that allows users to share their accounts with others. By altering the URL that appears when a user is declined access one character at a time Hafif could discover an endless array of email addresses.
Combined with software called DirBuster, which uses "brute force" to access directories by consecutively trying thousands of character combinations, he collected 37,000 directories in two hours.
"Usernames, email addresses and phone numbers are invaluable pieces of information for attackers," Hafif said." They can be used in a large variety of attacks which in some cases result in full account takeover."
"When it comes to username leakage – size matters. The bigger the list of exposed username the more damage can be done by a malicious entity."
Though at one point Google’s defences against automated bots were activated, Hafif changed the URL and carried on, and a hacker could easily use anonymising software to avoid being caught.
The flaw may have been present since 2010 when the delegation feature was introduced, though it has been patched since Hafif discovered it. The security auditor was given a reward for his help.