updated 07:07 pm EDT, Thu June 12, 2014
Bug could have been exploited to generate a list of every Gmail address
A bug in Gmail could have left every user's email address on the service exposed to collection by outside parties for close to four years. A security researcher from Tel Aviv discovered the bug, which allowed him to collect 37,000 email addresses in as little as two hours with a brute force attack. The bug could allow someone to change a token in a URL, gained from a declining access notification in Gmail's delegation feature, using a script to gather addresses.
Oren Hafif, who works for Trustwave, initially discovered the bug last November, but detailed how it worked in a blog post this week. Hafif used a brute force attack through a token displayed in the web address tied to the declining of the email delegation permissions request. The first set of results was around 1,000 email addresses that belonged to both Gmail users and business users of Google Apps.
Hafif later used a program called DirBuster to start a more widespread attack, collecting a larger number of addresses through the use of a dictionary to replace the token string in the URL. Even though he would run into Google bot protection, changing the email address to a Google support listing would allow the email collection to continue. Hafif recreated the process, showing how easy it is in a YouTube video.
Speaking with Wired, Hafif said that it was possible to get more than the 37,000 email addresses he collected in two hours. He added that it could have been done anonymously, and without detection with the use of additional software.
"I could have done this potentially endlessly," said Hafif. "I have every reason to believe every Gmail address could have been mined."
Later, Hafif would turn to Google with his findings. He says that Google took a month to fix the bug. They also initially declined to pay him a bounty for the findings, before turning around and awarding him $500. Google confirmed to Wired that they patched the issue and paid a reward, but offered no further information.
Google added the delegation feature at the end of 2010, so it is possible the bug has been in the wild since that time. Because the attack could have been carried out anonymously, as Hafif stated, any number of people could have used it to collect a list of Gmail users.
The good news is that the only information that could be mined because of the bug related to the email address. No personal information or passwords could have been gleaned through the collection process. However, the addresses are ripe for being sold to marketers and used for other purposes.
On the Trustwave blog, Hafif explains just how valuable an email address is. Pieced together with other bits of information gathered elsewhere or used in attacks, they can yield other tidbits of personal data or even result in an account take over.
When the reach of a Gmail account or the use of an email address as a login is considered, it can be recognized as an important identifier to an individual. Given the pervasiveness of Google and Gmail, a hacker possessing a Gmail email address can lead to any number of things. Unlike a password, the email address is a permanent identifier that requires more effort to change than a password.