Email
Password
Remember meForgot password?
    Log in with Twitter

article imageGmail flaw means hackers could have email address of every user

By James Walker     Jun 12, 2014 in Technology
A gaping but now patched security flaw in Google's Gmail email service has been revealed that could have allowed hackers to extract the email address of every single user from Google's database.
Oren Hafif, a security penetration tester, discovered in November last year that he could manipulate the little-used account-sharing feature in Gmail to change the "Rejection Confirmed" message to reference that of another user. This was done by simply changing one character in the URL of the page that appears when you attempt to access an account which is not shared with you. Hafif found he could make the page show him he had been declined access to another email address.
By using a program designed for brute-force hack attacks called DirBuster, he successfully automated the character-changing process and collected 37,000 Gmail addresses in around two hours which he saved to a text file.
After publishing his report, Google initially refused to pay him under its "bug bounty" program. They have since relented though and paid $500 — still a very small figure given how much they have been known to pay for severe vulnerabilities. Hafif made the now-patched issue public in a blog post and video on Tuesday and told Wired "I could have done this potentially endlessly. I have every reason to believe every Gmail address could have been mined."
He added that the technique could have been used to discover email addresses owned by businesses who use Google's mail servers and not just personal users with an @gmail.com domain. At one point in his testing, Google detected his efforts and blocked his access. He was able to continue downloading addresses by simply changing another character in the URL though.
Although email addresses alone do not facilitate access to an account, lists of thousands of them can be sold to spammers and phishers for huge money. We may never know whether this incredibly exploitable flaw was ever used by hackers "in the wild" though now that the issue has been patched and publicised.
More about Google, Gmail, Email, Hack, Attack