==============================================
A
massive security flaw in Google's Gmail service that could have been used to
extract millions of addresses has been revealed. The flaw was only found when
an Israeli security researchers raised the alarm with Google. The search giant
said the flaw has now been fixed - and paid the researcher for his tip.
The
newly revealed flaw could have been used to capture the email address of every
user of Google's mail service.
HOW IT WORKS
The
exploit uses a sharing feature of Gmail that allows a user to 'delegate' access
to their account.
By
tweaking the web address, Hafif found it was possible to reveal a random user's
email address. By automating the character changes with a piece of software
called DirBuster, he was able to collect 37,000 Gmail addresses in about two
hours.
Oren
Hafif says the trick would not have exposed passwords or otherwise allowed easy
access to those accounts, but could have left users vulnerable to spam, phishing
or password-guessing attacks.
'I
bruteforced a token in a Gmail URL to extract all of the email addresses hosted
on Google,' he revealed in a blog this week.
'I
could have done this potentially endlessly,' says Hafif, a Tel Aviv,
Israel-based penetration tester for security firm Trustwave, told Wired.
'I
have every reason to believe every Gmail address could have been mined.' The
exploit wouldn’t have just affected personal users of Gmail, Hafif said, but
also every business that uses Google to hosts its email, including even Google
itself.
The
exploit uses a sharing feature of Gmail that allows a user to “delegate” access
to their account. By tweaking the web address, Hafif found it was possible to
reveal a random user's email address. By automating the character changes with
a piece of software called DirBuster, he was able to collect 37,000 Gmail
addresses in about two hours. Hafif says it took Google another month after his
report to fix the bug.
The
company initially declined to pay him under its bug bounty program for
rewarding hackers who expose and help fix its security flaws. But it later
relented and paid him $500. A Google spokesman confirms that the company
patched Hafif’s email-stealing bug and paid him a reward for his help, but
declined to respond to requests for further comment.
Hafif
also admitted he has no idea if the flaw had been used.
'We’ll
never know,' he said.
+++++++++++++++++++++++++++++++
Remember you can subscribe to receiving
notifications when new blogs are posted:
http://netiquetteiq.blogspot.com/feeds/posts/default
===============================
In addition to this blog, I have authored the premiere book on Netiquette, "Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and PSG of Mercer County New Jersey.
==========================================
Saepta
combines ease-of-use with powerful voting features to provide real-time feedback
and comments. Visit saepta.com
to experience the public version of social network voting, and visit get.saepta.com for additional
information on deploying Saepta within your organization.
=======================================
+++++++++++++++++++++++++++++++
Remember you can subscribe to receiving
notifications when new blogs are posted:
http://netiquetteiq.blogspot.com/feeds/posts/default
===============================
In addition to this blog, I have authored the premiere book on Netiquette, "Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and PSG of Mercer County New Jersey.
==========================================
Looking
for feedback on a location for the company picnic? Use Saepta to post that
quick question to staff and review results in real time. Interested in a quick
response from a few loyal customers regarding choosing a new product name?
Saepta offers privacy through a direct link to a target list, providing you
real time feedback that includes comments.
=======================================
