Major 'Security Flaw' in Gmail Could Have Exposed All E-Mail Addresses to Hackers

By on

A major flaw in Google's most popular email service "Gmail" has recently been uncovered. Apparently, this flaw has exposed all the email addresses across the globe. Oren Hafif, a security researcher, unearthed this flaw helping Google rectify the bug, which disclosed email addresses of every user account, Wired said.

It took Hafif only a clever tweak on the Web page's characters and some much-required patience to extract all email addresses. He was also quick to point out this particular bug existed for so many years before it was fixed. But the silver lining was that the bug did not disclose passwords or private data of users.

Wired also wrote to get the email addresses, a hacker could have used the account-sharing feature of Gmail service, which lets users to delegate access to their account. This vulnerability was found by Hafif in November 2013.

According to Hafif, he tweaked the URL of a Web page that comes up when the user rejects the delegated access to another user's account. When he tried changing a single character in the URL, the Web page showed him the access to the different user account (or the email address) was declined. This way, Google showed the email address of the access-denied account to the hacker.

Since Hafif got hold of one email address, he automated the character changes with an application called DirBuster. With this, he harvested 37,000 Gmail addresses within two hours. Hafif went on to say that he could have easily obtained every Gmail address of every user in the world within a couple of days or weeks.

Google was not willing to pay him for the discovery under the company's bug bounty program. This program rewards hackers who help the search giant in fixing any form of security vulnerability. But looking at the potential of the unearthed bug, Google paid him a sum of $500. This amount was quite less when compared to the humungus amount Google awards to hackers who find critical bugs.

Wired noted a spokesperson from Google has confirmed a patch for the bug discovered by Hafif. Even though Hafif discovered the bug last year, he disclosed his findings in a personal blog post only this week.

The security researcher also showed his disappointment on the $500 reward handed over to him by the search giant. His blog post said, "Think about how much money a spammer or a country (China?) are ready to pay for a list of all Google Accounts related emails."

Do you think Google's $500 reward is justified? Since this bug did not expose user passwords, do you think it is still a serious concern? Feel free to leave a comment.

Join the Discussion