Oren Hafif, a security consultant for the Tel Aviv-based cybersecurity firm Trustwave, found a bug in Google’s Gmail service that would let someone obtain millions of Gmail addresses in a relatively short time, Wired magazine reported last week.
Hafif exploited a relatively unknown account-sharing feature of Gmail that allows users to “delegate” access to their account. By tweaking the URL of a Web page that comes up when a user is refused delegated access to another’s account, Hafif discovered the page would report he had been refused a different address. Using software to automate character changes, Hafif was able to collect 37,000 Gmail address in just two hours, Wired said.
The trick doesn’t reveal passwords, but it would be a boon to spammers and could help hackers launch password-guessing attacks, the magazine said. Google paid Hafif $500 under its rewards program to hackers who find bugs in its system, and has since fixed the problem.