Saturday, June 14, 2014

Netiquette IQ - A Gmail Flaw All Users Should Know of Recetly Occurred



By Mark Prigg from The Daily Mail
==============================================


A massive security flaw in Google's Gmail service that could have been used to extract millions of addresses has been revealed. The flaw was only found when an Israeli security researchers raised the alarm with Google. The search giant said the flaw has now been fixed - and paid the researcher for his tip.
The newly revealed flaw could have been used to capture the email address of every user of Google's mail service.
HOW IT WORKS
The exploit uses a sharing feature of Gmail that allows a user to 'delegate' access to their account.
By tweaking the web address, Hafif found it was possible to reveal a random user's email address. By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours.
Oren Hafif says the trick would not have exposed passwords or otherwise allowed easy access to those accounts, but could have left users vulnerable to spam, phishing or password-guessing attacks.
'I bruteforced a token in a Gmail URL to extract all of the email addresses hosted on Google,' he revealed in a blog this week.
'I could have done this potentially endlessly,' says Hafif, a Tel Aviv, Israel-based penetration tester for security firm Trustwave, told Wired.
'I have every reason to believe every Gmail address could have been mined.' The exploit wouldn’t have just affected personal users of Gmail, Hafif said, but also every business that uses Google to hosts its email, including even Google itself.
The exploit uses a sharing feature of Gmail that allows a user to “delegate” access to their account. By tweaking the web address, Hafif found it was possible to reveal a random user's email address. By automating the character changes with a piece of software called DirBuster, he was able to collect 37,000 Gmail addresses in about two hours. Hafif says it took Google another month after his report to fix the bug.
The company initially declined to pay him under its bug bounty program for rewarding hackers who expose and help fix its security flaws. But it later relented and paid him $500. A Google spokesman confirms that the company patched Hafif’s email-stealing bug and paid him a reward for his help, but declined to respond to requests for further comment.
Hafif also admitted he has no idea if the flaw had been used.
'We’ll never know,' he said.
+++++++++++++++++++++++++++++++
Remember you can subscribe to receiving
notifications when new blogs are posted:
http://netiquetteiq.blogspot.com/feeds/posts/default
===============================
In addition to this blog, I have authored the premiere book on Netiquette, "Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:

 www.amazon.com/author/paulbabicki


 If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and  PSG of Mercer County New Jersey.

==========================================


Looking for feedback on a location for the company picnic? Use Saepta to post that quick question to staff and review results in real time. Interested in a quick response from a few loyal customers regarding choosing a new product name? Saepta offers privacy through a direct link to a target list, providing you real time feedback that includes comments.

Saepta combines ease-of-use with powerful voting features to provide real-time feedback and comments. Visit saepta.com to experience the public version of social network voting, and visit get.saepta.com for additional information on deploying Saepta within your organization.
=======================================