AAPL Stock: 118.88 ( 0 )

Printed from

Gmail bug might have leaked every user's email to attackers

updated 07:07 pm EDT, Thu June 12, 2014

Bug could have been exploited to generate a list of every Gmail address

A bug in Gmail could have left every user's email address on the service exposed to collection by outside parties for close to four years. A security researcher from Tel Aviv discovered the bug, which allowed him to collect 37,000 email addresses in as little as two hours with a brute force attack. The bug could allow someone to change a token in a URL, gained from a declining access notification in Gmail's delegation feature, using a script to gather addresses.

Oren Hafif, who works for Trustwave, initially discovered the bug last November, but detailed how it worked in a blog post this week. Hafif used a brute force attack through a token displayed in the web address tied to the declining of the email delegation permissions request. The first set of results was around 1,000 email addresses that belonged to both Gmail users and business users of Google Apps.

Hafif later used a program called DirBuster to start a more widespread attack, collecting a larger number of addresses through the use of a dictionary to replace the token string in the URL. Even though he would run into Google bot protection, changing the email address to a Google support listing would allow the email collection to continue. Hafif recreated the process, showing how easy it is in a YouTube video.

Speaking with Wired, Hafif said that it was possible to get more than the 37,000 email addresses he collected in two hours. He added that it could have been done anonymously, and without detection with the use of additional software.

"I could have done this potentially endlessly," said Hafif. "I have every reason to believe every Gmail address could have been mined."

Later, Hafif would turn to Google with his findings. He says that Google took a month to fix the bug. They also initially declined to pay him a bounty for the findings, before turning around and awarding him $500. Google confirmed to Wired that they patched the issue and paid a reward, but offered no further information.

Google added the delegation feature at the end of 2010, so it is possible the bug has been in the wild since that time. Because the attack could have been carried out anonymously, as Hafif stated, any number of people could have used it to collect a list of Gmail users.

The good news is that the only information that could be mined because of the bug related to the email address. No personal information or passwords could have been gleaned through the collection process. However, the addresses are ripe for being sold to marketers and used for other purposes.

On the Trustwave blog, Hafif explains just how valuable an email address is. Pieced together with other bits of information gathered elsewhere or used in attacks, they can yield other tidbits of personal data or even result in an account take over.

When the reach of a Gmail account or the use of an email address as a login is considered, it can be recognized as an important identifier to an individual. Given the pervasiveness of Google and Gmail, a hacker possessing a Gmail email address can lead to any number of things. Unlike a password, the email address is a permanent identifier that requires more effort to change than a password.

by MacNN Staff



  1. prl99

    Mac Enthusiast

    Joined: 03-24-09

    To be fair to Google (why I don't know), has this also happened to any version of Apple's mail servers? I wonder if Hafif tried the same attack on other email servers and whether he was successful. Since Hafif found it, I'm sure others found it and simply didn't tell Google, harvesting emails to sell to others. I'm glad I dropped my gmail account several months ago but family members refuse to drop theirs even though Google has done all sorts of things to users without a clear understanding it was being done.

  1. Charles Martin

    MacNN Editor

    Joined: 08-04-01

    The story makes clear that the vulnerability came about as part of Gmail's "delegation" feature, which they implemented in 2010. I'm not saying all other email systems are immune to similar attacks, but this attack appears to have relied on a feature Google developed for its Gmail system.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented