Flag as important: MASSIVE Gmail security flaw
An Israeli security researcher discovered a huge gaping hole in Gmail’s security which could have revealed the email addresses of every single person using the service. And Google had no idea until he told them.
Oren Hafif says the flaw – which could have left users open to phishing scams and all kinds of internet nasties – uses a sharing feature of Gmail which allows a user to delegate access to their account.
If you tweak the web address, you can reveal the address of a random user. And if you automate that tweak, you can potentially go on forever. Hafif managed to collect 37,000 Gmail addresses in two hours using a piece of legal software called DirBuster.
Hafif, who works for security firm Trustwave said:
‘I could have done this potentially endlessly. I have every reason to believe that every Gmail addess could have been mined.’
But when he reported the flaw, Google took a month to respond, and didn’t even bother to pay him for the tip through their service which rewards hackers for helping to fix bugs.
Eventually Hafif got $500 for his troubles, and Google promptly fixed the flaw. But nobody will ever know whether it was used before that to grab our addresses and send us ‘Please Help Me, I’m On Holiday In Ukraine and I Need You To Send Money’ emails...