Gmail fail: bug exposed EVERY email address

A gaping security hole in Gmail allowed anyone to access the email addresses of every single Gmail user.

Google has now fixed the bug after being made aware of it by security researcher Oren Hafif . The bug would not have exposed passwords or given hackers access to accounts, but could have left people vulnerable to phishing attacks.

The flaw took advantage of an obscure Gmail feature that allows users to delegate access to their account. The feature sends a URL to approve or deny delegated access to an account, but Hafif noticed that it contained a ‘token’, a part of which could be changed to cough up any Gmail address.

Using a tool called DirBuster, Hafif was able to reveal 37,000 Gmail addresses in just two hours by bruteforcing the vulnerability.

Hafif, a security researcher for Trustwave, said there was nothing to stop him continuing until he had collected the email addresses of all Gmail users. Using anonymity tools there would also be nothing to stop attackers exploiting the bug without ever being detected.

Once Google had fixed the bug Hafif released a video explaining how it worked:

It isn’t clear how long the bug was active for, although Gmail’s delegation feature was introduced in 2010, so it seems likely it was there for years.

Google confirmed it had fixed the bug and paid Hafif $500 for his help in alerting them to it as part of its security reward program.