To all Gmail users, beware. There might be a huge flaw in Google’s wildly popular email service that could have exposed the email addresses of every single user.
This warning was made by security researcher Oren Hafif who found and helped Google fix a serious bug that left Gmail users’ email addresses exposed to anyone with a bit of patience. While digging up addresses would have taken quite a bit of time, the Hafif’s report notes that the bug had existed for years before it was fixed, and it easily could have been utilized to obtain every Gmail user’s address.
The revelation was posted in Wired and further claim that the bug would not have exposed any passwords or other sensitive data willingly unless somebody will try to take advantage of the exposure.
"The exploit involved a lesser-known account-sharing feature of Gmail that allows a user to ‘delegate’ access to their account," Wired’s Andy Greenberg wrote.
"In November of last year, Hafif found that he could tweak the URL of a webpage that appears when a user is declined that delegated access to another user’s account. When he changed one character in that URL, the page showed him that he’d been declined access to a different address. By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours."
Using the flaw, Hafif says he could have obtained the email addresses of every single Gmail user in the world in a matter of days or weeks.
This warning was made by security researcher Oren Hafif who found and helped Google fix a serious bug that left Gmail users’ email addresses exposed to anyone with a bit of patience. While digging up addresses would have taken quite a bit of time, the Hafif’s report notes that the bug had existed for years before it was fixed, and it easily could have been utilized to obtain every Gmail user’s address.
The revelation was posted in Wired and further claim that the bug would not have exposed any passwords or other sensitive data willingly unless somebody will try to take advantage of the exposure.
"The exploit involved a lesser-known account-sharing feature of Gmail that allows a user to ‘delegate’ access to their account," Wired’s Andy Greenberg wrote.
"In November of last year, Hafif found that he could tweak the URL of a webpage that appears when a user is declined that delegated access to another user’s account. When he changed one character in that URL, the page showed him that he’d been declined access to a different address. By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours."
Using the flaw, Hafif says he could have obtained the email addresses of every single Gmail user in the world in a matter of days or weeks.
No comments:
Post a Comment