A SECURITY RESEARCHER has revealed that he helped fix a fault that could have exposed all Gmail users to spam and malware email over a prolonged period and got a paltry $500 for his troubles.
The bug, which allowed anyone with the method and the patience to obtain every active Gmail address, came about as a result of the "delegation" feature that Google introduced in 2010.
This allows users to delegate control of their account to another Gmail user, such as a personal assistant. The recipient gets an email offering them delegation rights with "accept" and "decline" links containing a token in hexadecimal notation.
Oren Hafif discovered that by changing a single character in that token, you would be presented with a "decline" request for a completely different account. Change it again, and you'd get another. And another.
Hafif tried a brute-force attack using a program called Dirbuster to automate the testing of the tokens. Within two hours, Hafif was able to collect thousands of valid Gmail addresses that in the wrong hands could be used for spamming, but also would narrow targeting of attempts to access Gmail accounts.
Given that many people rely on their Google data, this had the potential to be disastrous. Google has now fixed the exploit and rewarded Hafif with $500.
Hafif has expressed slight frustration at a relatively small bounty for what potentially was a huge breach of security, and the white hat hacking community has come out firmly in agreement.
In 2013, it was revealed that Yahoo had been rewarding bug finders with, among other things, a purple Yahoo rubber duck..
We've asked Google to comment, but so far it has not told us the colour of its rubber duck. µ