Gmail bug could have led to thousands of email addresses being harvested


by Jimmy Nicholls| 12 June 2014

Google's skin saved again by vigilant security expert.

A Gmail bug put the email address of every user at risk of being harvested or hacked, according to security auditor Oren Hafif.

The vulnerability, which has recently been patched, exposed both consumer and corporate clients, making them vulnerable to account takeovers, phishing attacks, and spam, as well as potential account theft on other sites because of password reuse.

Writing half-jokingly, Hafif said: "GMAIL is the Global Main Authentication and Identification Library. It is used everywhere from sites like Facebook and Twitter to online banking. Owning your Gmail account is a hacker's dream - because it means all other accounts are now in reach."

The exploit he discovered made use of the "delegate" feature in Gmail that allows users to share their accounts with others. By altering the URL that appears when a user is declined access one character at a time Hafif could discover an endless array of email addresses.

Combined with software called DirBuster, which uses "brute force" to access directories by consecutively trying thousands of character combinations, he collected 37,000 directories in two hours.

"Usernames, email addresses and phone numbers are invaluable pieces of information for attackers," Hafif said." They can be used in a large variety of attacks which in some cases result in full account takeover."

"When it comes to username leakage - size matters. The bigger the list of exposed username the more damage can be done by a malicious entity."

Though at one point Google's defences against automated bots were activated, Hafif changed the URL and carried on, and a hacker could easily use anonymising software to avoid being caught.

The flaw may have been present since 2010 when the delegation feature was introduced, though it has been patched since Hafif discovered it. The security auditor was given a reward for his help.

Source: Company Press Release

Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

792 people like this.
2211 people follow this.

Security Intelligence

Suppliers Directory

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.