A gaping security flaw in Google's Gmail email service has been publicized that could have allowed hackers to extract the email address of every single user from Google's database.
Oren Hafif, a security penetration expert, discovered last year that he could manipulate the little-used account-sharing feature in Gmail to edit the 'Rejection Confirmed' webpage. After changing one character in the URL of the page that appears when you reject access to a shared account, Hafif found he could make the page tell him that he had been declined access to another email address.
The Gmail account-sharing rejected message could be manipulated to display the email address of somebody else
By using DirBuster, a brute-force hacking program, he automated the character-changing process and saved 37,000 Gmail addresses to a text file in around two hours. From this, he could extract the individual email addresses. Hafif made the now long-patched issue public in a blog post and video on Tuesday and told Wired:
"I could have done this potentially endlessly. I have every reason to believe every Gmail address could have been mined."
He added that the technique could have been used to view the addresses of anyone with Google mail hosting including businesses. At one point in his testing, Google detected his efforts and blocked his access. He was able to continue downloading addresses by simply changing another character in the URL though.
Although email addresses alone do not facilitate access to an account, lists of thousands of them can be sold to spammers and phishers for a profit. We may never know whether this flaw was ever exploited, though, now that the issue has been patched, it's no longer an issue.