Gmail Bug Could Have Exposed Every User’s Address
THE TRICK WOULD NOT HAVE EXPOSED PASSWORDS, BUT COULD HAVE LEFT ACCOUNTS OPEN TO SPAM, PHISHING, OR PASSWORD-GUESSING ATTACKS.
The exploit involved a lesser-known account-sharing feature of Gmail that allows a user to “delegate” access to their account. In November of last year, Hafif found that he could tweak the URL of a webpage that appears when a user is declined that delegated access to another user’s account. When he changed one character in that URL, the page showed him that he’d been declined access to a different address. By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours.
“I could have done this potentially endlessly,” says Hafif, a Tel Aviv, Israel-based penetration tester for security firm Trustwave. “I have every reason to believe every Gmail address could have been mined.”
The exploit wouldn’t have just affected personal users of Gmail, Hafif adds. A hacker could have also used the flaw to collect the addresses of every business that uses Google to hosts its email, including even Google itself, he says.
At one point, Google’s protections against automated bots blocked Hafif’s access. But he quickly changed another portion of the URL and was able to continue to siphon thousands more email addresses. Because Google didn’t require a cookie or other forms of authentication to show the vulnerable page, he says a determined email harvester could have used the anonymity software Tor or other IP-address-obscuring methods to collect emails en masse without detection. “These kinds of vulnerabilities that are unauthenticated can be exploited completely silently,” Hafif says.
Hafif says it took Google another month after his report to fix the bug. The company initially declined to pay him under its bug bounty program for rewarding hackers who expose and help fix its security flaws. But it later relented and paid him $500, a relatively small sum compared to the tens of thousands of dollars it hands out for the discovery of severe vulnerabilities.
A Google spokesperson confirms that the company patched Hafif’s email-stealing bug and paid him a reward for his help, but declined to respond to requests for further comment.
And did someone already obtain that list? “That’s a hard question,” Hafif says. “We’ll never know.”