Major 'Security Flaw' in Gmail Could Have Exposed All E-Mail Addresses to Hackers
By Pavithra Rathinavel | June 13, 2014 1:52 PM EST
A major flaw in Google's most popular email service "Gmail" has recently been uncovered. Apparently, this flaw has exposed all the email addresses across the globe. Oren Hafif, a security researcher, unearthed this flaw helping Google rectify the bug, which disclosed email addresses of every user account, Wired said.
It took Hafif only a clever tweak on the Web page's characters and some much-required patience to extract all email addresses. He was also quick to point out this particular bug existed for so many years before it was fixed. But the silver lining was that the bug did not disclose passwords or private data of users.
Wired also wrote to get the email addresses, a hacker could have used the account-sharing feature of Gmail service, which lets users to delegate access to their account. This vulnerability was found by Hafif in November 2013.
According to Hafif, he tweaked the URL of a Web page that comes up when the user rejects the delegated access to another user's account. When he tried changing a single character in the URL, the Web page showed him the access to the different user account (or the email address) was declined. This way, Google showed the email address of the access-denied account to the hacker.
Since Hafif got hold of one email address, he automated the character changes with an application called DirBuster. With this, he harvested 37,000 Gmail addresses within two hours. Hafif went on to say that he could have easily obtained every Gmail address of every user in the world within a couple of days or weeks.
Google was not willing to pay him for the discovery under the company's bug bounty program. This program rewards hackers who help the search giant in fixing any form of security vulnerability. But looking at the potential of the unearthed bug, Google paid him a sum of $500. This amount was quite less when compared to the humungus amount Google awards to hackers who find critical bugs.
Wired noted a spokesperson from Google has confirmed a patch for the bug discovered by Hafif. Even though Hafif discovered the bug last year, he disclosed his findings in a personal blog post only this week.
The security researcher also showed his disappointment on the $500 reward handed over to him by the search giant. His blog post said, "Think about how much money a spammer or a country (China?) are ready to pay for a list of all Google Accounts related emails."
Do you think Google's $500 reward is justified? Since this bug did not expose user passwords, do you think it is still a serious concern? Feel free to leave a comment.
To contact the editor, e-mail:
Most Popular Slideshows
- NFL MNF: Washington Redskins 20, Dallas Cowboys 17 (OT) [PHOTOS]
- Emma Watson Gets 'Squished' In 'Colonia Dignidad' [PHOTOS]
- 2014 MLB World Series Game 3: Kansas City Royals 3, San Francisco Giants 2 [PHOTOS]
- San Francisco Giants Beat Kansas City Royals, 3-2 In Game 7, Wins 2014 MLB World Series [PHOTOS]
Join the Conversation
- Marvel Announces Release Dates Of 11 Upcoming Movies From 2015 To 2019
- Nokia Lumia 730 v. Sharp Aquos Crystal – Specifications, Features And Price Showdown
- Xiaomi Becomes World’s Third Largest Smartphone Manufacturer By Dethroning Huawei
- Entry Of Peshmerga Fighters From Iraq Boosts The Kobani Battle Against ISIS: Turkey Provides Transit
- Apple iPhone 6 Plus vs Motorola Droid Turbo: Comparsion On Processor, Software And Battery
- Nexus 6, 9 Buyers on November Release Will Enjoy These 3 Killer Lollipop 5.0 Features First
- Australia Special Forces Await 'Delayed' Iraqi Visas Before Joining ISIS Fight