Gmail’s Giant Flaw


Oren Hafif, a security researcher, exposed a major glitch in Google’s Gmail system. Hafif worked with Google to fix the problem, but the facts stay the same: millions of Gmail addresses were vulnerable to exploitation.
A feature of Gmail allows users to delegate access to their account, meaning other people can delete emails, respond to emails and read them on behalf of the account owner. The delegated users can’t, however, change login information. If a user is denied delegation to an account, they are sent to a different URL informing them that they have been denied access. In November 2013, Hafif found that once on the page that showed him he had been denied access, he could switch one character in the page’s URL and was taken to another denied page but for a different email address. Hafif was then able to automate the character changes through a software called Dir Buster, and was able to retireve 37,000 Gmail addresses in two hours.
Not only could the flaw expose personal Gmail accounts, it had the potential of exposing businesses’ Gmail addresses. Google responded by taking a month to fix the bug, and initially denying Hafif a reward for exposing the glitch. Eventually, Google gave Hafif $500, although Hafif feels that isn’t a fair amount for the malicious potential the flaw had. As he wrote in a blog post on Tuesday, “Think about how much money a spammer or a country (China?) are ready to pay for a list of all Google accounts?”