This week a security researcher by the name of Oren Hafif revealed a method for collecting every single Gmail address in existence. This method was not a hack – nor was it necessarily a bug – but with a lot of patience (or a simple computer program), a spammer could have collected all Gmail addresses ever used. Hafif’s method ran for two hours and collected 37,000 addresses.
The method for collection Gmail addresses used by Hafif involved Gmail access delegation. This is what happens when you have a Gmail account and you’d like to send access to said account to a friend. Hafif realized that the address that appears when a user declines said access included two key elements:
1. A Token
2. Public Access
In Hafif’s report, he suggests that Homer Simpson describes the situation at this point perfectly: [Programmer Homer says: while(true)(“Sigh!”+”D’oh”);]. You’ll also see Friendly Advice Homer giving out advice here as well.
Hafif ran the URL through a program which bruteforced changes in the URL, resulting in “so many email addresses that ever single tool I use for the bruteforce collapses.” Once Hafif had everything in working order with a new, unique script, he began to harvest email addresses.
The email addresses he saw included many “Google Apps for Business” domains as well as @Google.com addresses – including Google employees.
The report was turned in to Google and Hafif was given a bounty of $500 USD for his work. His work in revealing to Google how someone might find every single Gmail address ever.
Have no fear now, though, users – the vulnerability has been fixed. If someone else figured it all out before this week, though, you’re still out there.