Bug May Have Left Gmail Users' Emails 'Exposed'
By Karla Danica Figuerres | June 15, 2014 9:40 AM EST
A security hole in Gmail has allowed anybody to access the email addresses of every Google user. Recently, a huge error in Google's widely popular and used Gmail service was detected exposing the users' email addresses.
A Google logo is seen at the garage where the company was founded on Google's 15th anniversary in Menlo Park, California September 26, 2013.
Wired reported Oren Hafif, a security researcher, discovered and assisted Google in solving a serious problem that made Gmail users' email addresses exposed to other users with a little patience. The report stressed the bug might have occurred for years before it was resolved as Gmail's delegation feature was introduced in 2010. So it is likely that it was there for years and could have been easily used to get every Gmail user's emails.
The report added the bug would not have showed any passwords or personal data but could have made users defenseless to spams, phishings or password-guessing assaults.
"The exploit involved a lesser-known account-sharing feature of Gmail that allows a user to 'delegate' access to their account," Wired's Andy Greenberg claimed.
Generally, the flaw took advantage of an obscure feature of Google that allows users to delegate access to their account.
In November of last year, Hafif found he could tweak the URL of a Web page that appears when a user is declined that delegated access to another user's account. When he changed one character in that URL, the page showed him that he'd been declined access to a different address.
By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours.
Using the error, Hafif said he could have secured the email addresses of every user of Gmail worldwide in a short time, in days or weeks. Google has already fixed the bug after Hafif reported it.
The problem if not resolved wouldn't only affect the personal users of Gmail, Hafif added. Hackers could have used it to gather addresses of every business that uses Google to get its email, and worst even Google could be affected if the problem was mishandled.
To contact the editor, e-mail: