Gmail Bug Could Have Exposed Every User’s Address


Illustration: WIRED

Illustration: WIRED



Until recently, anyone may have been able to assemble a list of every Gmail account in the world. All it would have taken, according to one security researcher’s analysis, was some clever tweaking of a web page’s characters and a lot of patience.


Oren Hafif says that he found and helped fix a bug in Google’s Gmail service that could have been used to extract millions of Gmail addresses, if not all of them, in a matter of days or weeks. The trick would not have exposed passwords or otherwise allowed easy access to those accounts, but could easily have left users vulnerable to spam, phishing or password-guessing attacks. The bug may have existed for years.


The trick would not have exposed passwords, but could have left accounts open to spam, phishing, or password-guessing attacks.


The exploit involved a lesser-known account-sharing feature of Gmail that allows a user to “delegate” access to their account. In November of last year, Hafif found that he could tweak the URL of a webpage that appears when a user is declined that delegated access to another user’s account. When he changed one character in that URL, the page showed him that he’d been declined access to a different address. By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours.


“I could have done this potentially endlessly,” says Hafif, a penetration tester for security firm Trustwave Labs in Tel Aviv. “I have every reason to believe every Gmail address could have been mined.”


The exploit wouldn’t have just affected personal users of Gmail, Hafif adds. A hacker could have also used the flaw to collect the addresses of every business that uses Google to hosts its email, including even Google itself, he says.


Here’s a video showing how the hack worked:



No comments:

Post a Comment