One of the most popular services from Google, “Gmail”, has recently been exposed to a security flaw.
It seems that this flaw exposed all email address across the globe. Oren Hafif, a security researcher, helped Google to fix this bug, which made all the accounts vulnerable to everyone who would have wanted to access them.
Anyone would have used this bug, and if they had enough patience, and they could have obtained every Gmail address. It seems that this bug appeared on the introduction of the “delegation” feature that Google released back in 2010.
Using this feature, you can delegate control of your account to another Gmail user, for example your personal assistant. Then, the recipient would have received an email with the offer of delegation rights and he would have had to “accept” or “decline”.
Oren Hafif, noticed that, by changing only a single character from that token, you would get a “decline” request from a completely different account. And if you change again, you would get another, and so on.
Then Hafif used a program called Dirbuster to automatically test tokens. In only two hours, Hafif was able to collect thousands of Gmail addresses, which in the hands of a hacker would have been used for spamming mostly, or maybe the hackers would have tried to access them in order to take advantage of the important information from those accounts.
It seems that Google has already fixed this problem, and rewarded Hafif with $500 for letting them know about this issue.
However, Hafif was not very pleased with this small bounty, since that bug was a huge breach of security, and he thinks that he deserved more money.
Related ItemsGmail emailgmail hackersGmail Security Flaw