A massive security flaw in Google's Gmail service that could have been used to extract millions of addresses has been revealed.
The flaw was only found when an Israeli security researchers raised the alarm with Google.
The search giant said the flaw has now been fixed - and paid the researcher for his tip.
Scroll down for video
The newly revealed flaw could have been used to capture the email address of every user of Google's mail service.
HOW IT WORKS
The exploit uses a sharing feature of Gmail that allows a user to 'delegate' access to their account.
By tweaking the web address, Hafif found it was possible to reveal a random user's email address.
By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours.
By tweaking the web address, Hafif found it was possible to reveal a random user's email address.
By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours.
Oren Hafif says the trick would not have exposed passwords or
otherwise allowed easy access to those accounts, but could have left
users vulnerable to spam, phishing or password-guessing attacks.
'I bruteforced a token in a Gmail URL to extract all of the email addresses hosted on Google,' he revealed in a blog this week.
'I
could have done this potentially endlessly,' says Hafif, a Tel Aviv,
Israel-based penetration tester for security firm Trustwave, told Wired.
'I have every reason to believe every Gmail address could have been mined.'
The
exploit wouldn’t have just affected personal users of Gmail, Hafif
said, but also every business that uses Google to hosts its email,
including even Google itself.
The exploit uses a sharing feature of Gmail that allows a user to “delegate” access to their account. By tweaking the web address, Hafif found it was possible to reveal a random user's email address.
By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours.
Hafif says it took Google another month after his report to fix the bug.