icon bookmark-bicon bookmarkicon cameraicon checkicon chevron downicon chevron lefticon chevron righticon chevron upicon closeicon v-compressicon downloadicon editicon v-expandicon fbicon fileicon filtericon flag ruicon full chevron downicon full chevron lefticon full chevron righticon full chevron upicon gpicon insicon mailicon moveicon-musicicon mutedicon nomutedicon okicon v-pauseicon v-playicon searchicon shareicon sign inicon sign upicon stepbackicon stepforicon swipe downicon tagicon tagsicon tgicon trashicon twicon vkicon yticon wticon fm
12 Jun, 2014 14:56

Massive flaw could have exposed every Gmail user’s address

Massive flaw could have exposed every Gmail user’s address

A gaping security bug in Google’s systems may have been used to unearth millions upon millions of users’ email addresses. The activist claimed it took Google a month to rectify the problem after his report to the company.

Tel Aviv-based security researcher Oren Hafif discovered the bug and has informed Google, which has managed to resolve the problem.

However, before Hafif notified Google, he successfully retrieved some 37,000 addresses from the system.

“I have every reason to believe every Gmail address could have been mined,”
Hafif told Wired.

He uploaded a video tutorial to his YouTube account at the beginning of June.


Hafif accessed a page declaring that his access had been denied towards the end of last year. After changing a single character in the website’s URL, the Gmail page said that he’d been denied access to a different address.

He automated character changes using software called DirBuster. “I could have done this potentially endlessly,” said Hafif.

While passwords weren’t provided, the bug may have left accounts wide open to spam, phishing and password hacking attempts.

Google rewarded Hafif with $500 – which some commentators deemed to be very low considering the work he did.

“Being a good person is not very profitable these days :) ,” Hafif posted on Twitter on Thursday.

A Google spokesperson confirmed to Wired that the company had repaired the bug and awarded him some financial compensation. However, Google did not respond to any further requests for comment.

Podcasts
0:00
26:13
0:00
24:57