The Inquirer-Home

Gmail exploit foiled for a $500 bounty from Google

Bug could expose all Gmail user addresses
Thu Jun 12 2014, 14:33

gmail-logoA SECURITY RESEARCHER has revealed that he helped fix a fault that could have exposed all Gmail users to spam and malware email over a prolonged period and got a paltry $500 for his troubles.

The bug, which allowed anyone with the method and the patience to obtain every active Gmail address, came about as a result of the "delegation" feature that Google introduced in 2010.

This allows users to delegate control of their account to another Gmail user, such as a personal assistant. The recipient gets an email offering them delegation rights with "accept" and "decline" links containing a token in hexadecimal notation.

Oren Hafif discovered that by changing a single character in that token, you would be presented with a "decline" request for a completely different account. Change it again, and you'd get another. And another.

Hafif tried a brute-force attack using a program called Dirbuster to automate the testing of the tokens. Within two hours, Hafif was able to collect thousands of valid Gmail addresses that in the wrong hands could be used for spamming, but also would narrow targeting of attempts to access Gmail accounts.

Given that many people rely on their Google data, this had the potential to be disastrous. Google has now fixed the exploit and rewarded Hafif with $500.

Hafif has expressed slight frustration at a relatively small bounty for what potentially was a huge breach of security, and the white hat hacking community has come out firmly in agreement.

In 2013, it was revealed that Yahoo had been rewarding bug finders with, among other things, a purple Yahoo rubber duck..

We've asked Google to comment, but so far it has not told us the colour of its rubber duck. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?