Powered by Jasper Roberts - Blog

Thursday, 12 June 2014

Filled Under:

Massive flaw uncovered that could have revealed the email address of EVERY user of Google's Gmail service

A massive security flaw in Google's Gmail service that could have been used to extract millions of addresses has been revealed.
The flaw was only found when an Israeli security researchers raised the alarm with Google.
The search giant said the flaw has now been fixed - and paid the researcher for his tip.
Scroll down for video
The newly revealed flaw could have been used to capture the email address of every user of Google's mail service.
The newly revealed flaw could have been used to capture the email address of every user of Google's mail service.

HOW IT WORKS

The exploit uses a sharing feature of Gmail that allows a user to 'delegate' access to their account.
By tweaking the web address, Hafif found it was possible to reveal a random user's email address.
By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours.
Oren Hafif says the trick would not have exposed passwords or otherwise allowed easy access to those accounts, but could have left users vulnerable to spam, phishing or password-guessing attacks.
 
'I bruteforced a token in a Gmail URL to extract all of the email addresses hosted on Google,' he revealed in a blog this week.
'I could have done this potentially endlessly,' says Hafif, a Tel Aviv, Israel-based penetration tester for security firm Trustwave, told Wired.
'I have every reason to believe every Gmail address could have been mined.'
The exploit wouldn’t have just affected personal users of Gmail, Hafif said, but also every business that uses Google to hosts its email, including even Google itself.
The exploit uses a sharing feature of Gmail that allows a user to “delegate” access to their account.
By tweaking the web address, Hafif found it was possible to reveal a random user's email address.
By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours.
Hafif says it took Google another month after his report to fix the bug.

Read more

Written by

We are Creative Blogger Theme Wavers which provides user friendly, effective and easy to use themes. Each support has free and providing HD support screen casting.

'; (function() { var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true; dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq); })();

© 2013 iPRESS. All rights resevered. Designed by Templateism