Until recently, anyone may have been able to assemble a list of every Gmail account in the world. All it would have taken, according to one security researcher’s analysis, was some clever tweaking of a web page’s characters and a lot of patience.
Oren Hafif says that he found and helped fix a bug in Google’s Gmail service that could have been used to extract millions of Gmail addresses, if not all of them, in a matter of days or weeks. The trick would not have exposed passwords or otherwise allowed easy access to those accounts, but could have left users vulnerable to spam, phishing or password-guessing attacks. The bug may have existed for years.
The trick would not have exposed passwords, but could have left accounts open to spam, phishing, or password-guessing attacks.The exploit involved a lesser-known account-sharing feature of Gmail that allows a user to “delegate” access to their account. In November of last year, Hafif found that he could tweak the URL of a webpage that appears when a user is declined that delegated access to another user’s account. When he changed one character in that URL, the page showed him that he’d been declined access to a different address. By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours.
“I could have done this potentially endlessly,” says Hafif, a Tel Aviv, Israel-based penetration tester for security firm Trustwave. “I have every reason to believe every Gmail address could have been mined.”
The exploit wouldn’t have just affected personal users of Gmail, Hafif adds. A hacker could have also used the flaw to collect the addresses of every business that uses Google to hosts its email, including even Google itself, he says.
Here’s a video showing how the hack worked:
At one point, Google’s protections against automated bots blocked Hafif’s access. But he quickly changed another portion of the URL and was able to continue to siphon thousands more email addresses. Because Google didn’t require a cookie or other forms of authentication to show the vulnerable page, he says a determined email harvester could have used the anonymity software Tor or other IP-address-obscuring methods to collect emails en masse without detection. “These kinds of vulnerabilities that are unauthenticated can be exploited completely silently,” Hafif says.
Hafif says it took Google another month after his report to fix the bug. The company initially declined to pay him under its bug bounty program for rewarding hackers who expose and help fix its security flaws. But it later relented and paid him $500, a relatively small sum compared to the tens of thousands of dollars it hands out for the discovery of severe vulnerabilities.
A Google spokesperson confirms that the company patched Hafif’s email-stealing bug and paid him a reward for his help, but declined to respond to requests for further comment.
Hafif only revealed the existence of the bug in a blog post Tuesday. He says that he has no way of knowing how long the flaw persisted or whether it was ever exploited. Given that Google’s delegation feature for Gmail has existed since late 2010, it may have been exposed for years.
The 27-year-old researcher says he was mildly disappointed with Google’s lackluster reward for helping to fix a serious issue. As he writes in his blog post: “Think about how much money a spammer or a country (China?) are ready to pay for a list of all Google accounts?”
And did someone already obtain that list? “That’s a hard question,” Hafif says. “We’ll never know.”