Gmail had a simple flaw that allowed anyone to obtain every email address

A gaping security flaw in Google's Gmail email service has been publicized that could have allowed hackers to extract the email address of every single user from Google's database.

Oren Hafif, a security penetration expert, discovered last year that he could manipulate the little-used account-sharing feature in Gmail to edit the 'Rejection Confirmed' webpage. After changing one character in the URL of the page that appears when you reject access to a shared account, Hafif found he could make the page tell him that he had been declined access to another email address.

The Gmail account-sharing rejected message could be manipulated to display the email address of somebody else

By using DirBuster, a brute-force hacking program, he automated the character-changing process and saved 37,000 Gmail addresses to a text file in around two hours. From this, he could extract the individual email addresses. Hafif made the now long-patched issue public in a blog post and video on Tuesday and told Wired:

"I could have done this potentially endlessly. I have every reason to believe every Gmail address could have been mined."

He added that the technique could have been used to view the addresses of anyone with Google mail hosting including businesses. At one point in his testing, Google detected his efforts and blocked his access. He was able to continue downloading addresses by simply changing another character in the URL though.

Although email addresses alone do not facilitate access to an account, lists of thousands of them can be sold to spammers and phishers for a profit. We may never know whether this flaw was ever exploited, though, now that the issue has been patched, it's no longer an issue.

Source: Oren Hafif via Wired | Image via Oren Hafif

Report a problem with article
Previous Story

Google is about to get its own ‘Metro' with Quantum Paper

Next Story

Skype's new Windows Phone-style iPhone app is available now

18 Comments

Commenting is disabled on this article.

So really someone was brute-generating email addresses. Not really seeing a big deal, this happens a lot...

Yeah, could do the same thing by just emailing them and seeing if something bounces back to see if it's valid. Most times spammers won't even do a retry so if you have something like a greylist enabled that waits for a retry, that gets quite a bit of spam out of your hair.

Google is one of the biggest spammers in the world . Reads your emails (that should be enough to freak anyone out), tracks your every move, see's what your viewing or looking at (Google Glass). You shouldn't even correspond with a Gmail user no privacy is their rule.

Man,
I may go overboard in how lousy I think Gmail/Google is, but you have gone WAY beyond overboard!

I will definitely agree that Gmail is one of the worst there is at not allowing spam through though.

rippleman said,
in the 10 years that i been using gmail, i believe i have seen 3 or maybe 4 spam get into my INBOX... and i am a heavy email/internet user.

I know you're kidding, right, because I don't believe that statement for even a second! ;)

cork1958 said,
I know you're kidding, right, because I don't believe that statement for even a second! ;)

Eh I can believe it. I have a few webmail accounts. Two on Google, one gets used specifically for forum signups and such and that one gets bombarded, no surprise. My other GMail account and one Outlook account are very quiet though, haven't gotten spam on either of those. Yahoo on the other hand, not so much, that was receiving spam before I even used the address anywhere. None of them are my main though, they run spam interference for my ISP's mail server which hasn't gotten spam in 8 or 9 years.

Interesting how you guys left out the fact that Google a first didn't even pay him a reward for this flaw and then gave him a mere 500 dollars for a flaw that spammers would have paid hundreds of thousand for if not millions.

Not that he shouldn't be paid something, but I'd say it ranks pretty low on the "flaw" scale. An email address is nothing compared to access to accounts, passwords, etc..

Sure some people don't have their addresses "out in the wild", but the VAST majority already have their addresses everywhere.

in the 10 years that i been using gmail, i believe i have seen 3 or maybe 4 spam get into my INBOX... and i am a heavy email/internet user.

Doing some math...
if 37,000 = 2 hours

37,000 = 120 mins

37,000 = 7,200 secs

5.14 email addresses per second....

http://en.wikipedia.org/wiki/Gmail -> As of 2012, there were 412 million users.

It would have taken it
80,155,642.0233 seconds
=
1,335,927.367 hours.
=
55,663.64 days
=
1,855.46 months
=
154.62 years to crack the 425 million at that rate.

"article"
"I could have done this potentially endlessly. I have every reason to believe every Gmail address could have been mined."

I'm sorry to tell you, but the 2012 user base is bigger than the lifespan of the computer :p. You'll be needing lots of them

Jose_49 said,

I'm sorry to tell you, but the 2012 user base is bigger than the lifespan of the computer :p. You'll be needing lots of them

Not sure if you know this, but people are using lots of computers these days. It's kind of a thing.

Sweet and interesting. Quite a peculiar way to batch download the email addresses.

Could this problem have been mitigated if a Re-captacha form was used?

deadonthefloor said,

Wouldn't slow them down for long.

I've wonder how would they overcome the Re-Captcha? OCR? Or Database fetch to match words or combinations?