A massive security flaw in Google’s Gmail service that could have been used to extract millions of addresses has been revealed.
The flaw was only found when an Israeli security researchers raised the alarm with Google.
The search giant said the flaw has now been fixed – and paid the researcher for his tip.
Oren Hafif says the trick would not have exposed passwords or otherwise allowed easy access to those accounts, but could have left users vulnerable to spam, phishing or password-guessing attacks.
‘I bruteforced a token in a Gmail URL to extract all of the email addresses hosted on Google,’ he revealed in a blog this week.
‘I could have done this potentially endlessly,’ says Hafif, a Tel Aviv, Israel-based penetration tester for security firm Trustwave, told Wired.
‘I have every reason to believe every Gmail address could have been mined.’
The exploit wouldn’t have just affected personal users of Gmail, Hafif said, but also every business that uses Google to hosts its email, including even Google itself.
The exploit uses a sharing feature of Gmail that allows a user to “delegate” access to their account.
By tweaking the web address, Hafif found it was possible to reveal a random user’s email address.
By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours.
Hafif says it took Google another month after his report to fix the bug.
The company initially declined to pay him under its bug bounty program for rewarding hackers who expose and help fix its security flaws.
But it later relented and paid him $500
Read more: THE DAILY MAIL