Here’s a bit of news that doesn’t make one feel very reassured about cyber-security.
And that flaw could have been exploited to extract millions of Gmail addresses – potentially every single one of them, in fact.
What’s even more unnerving is that this flaw wasn’t uncovered by Google’s own engineers, but instead by security researchers in Israel who were kind enough to bring it to the company’s attention.
Thankfully, it was the “good guys” rather than the “bad” who made the discovery.
Evidently, the flaw resided in the sharing feature of Gmail that allows each user to delegate access to his or her Gmail account.
By “tweaking” the web address, the security researchers were able to reveal a random user’s e-mail address.
Once this procedure was proved out, scaling the hack was relatively easy. By automating character changes using a software tool called DirBuster, the researchers were able to harvest approximately 37,000 Gmail address inside of two hours.
Oren Hafif, one of the security researchers involved in the exercise, blogged recently about the potential scope of the flaw:
“I brute-forced a token in a Gmail URL to extract all of the e-mail addresses hosted on Google. I could have done this potentially endlessly. I have every reason to believe every Gmail address could have been mined.”
While the hack would not have exposed passwords explcitly, it could have left email accounts open to password-guessing attacks — not to mention unwanted spam mail or phishing.
Potentially, the breach could have affected not only personal users, but also businesses that use Google to host their email platforms.
Helpfully, the Israeli security researchers decided to inform Google of their discovery, preferring to be part of the solution rather than let the company twist in the wind.
So … are you ready for the kicker?
Reportedly, it took Google one full month to fix the software bug after being informed about it.
For a core service like email that is so central to the entire Google experience, one wonders why it took one of the world’s largest and most powerful companies weeks rather than just days to fix the problem.
If you’re looking for a redeeming or staisfying finale to this story … there really isn’t one.
Why? Because in its infinite generosity, Google decided to reward Mr. Hafif for bringing the software flaw to its attention, in the form of a cash award.
One that really, really expressed thanks and appreciation for what he did.
Reportedly, the award amounted to US$500.