Printed from

Gmail bug might have leaked every user's email to attackers

updated 07:07 pm EDT, Thu June 12, 2014

Bug could have been exploited to generate a list of every Gmail address

A bug in Gmail could have left every user's email address on the service exposed to collection by outside parties for close to four years. A security researcher from Tel Aviv discovered the bug, which allowed him to collect 37,000 email addresses in as little as two hours with a brute force attack. The bug could allow someone to change a token in a URL, gained from a declining access notification in Gmail's delegation feature, using a script to gather addresses.

Oren Hafif, who works for Trustwave, initially discovered the bug last November, but detailed how it worked in a blog post this week. Hafif used a brute force attack through a token displayed in the web address tied to the declining of the email delegation permissions request. The first set of results was around 1,000 email addresses that belonged to both Gmail users and business users of Google Apps.

Hafif later used a program called DirBuster to start a more widespread attack, collecting a larger number of addresses through the use of a dictionary to replace the token string in the URL. Even though he would run into Google bot protection, changing the email address to a Google support listing would allow the email collection to continue. Hafif recreated the process, showing how easy it is in a YouTube video.

Speaking with Wired, Hafif said that it was possible to get more than the 37,000 email addresses he collected in two hours. He added that it could have been done anonymously, and without detection with the use of additional software.

"I could have done this potentially endlessly," said Hafif. "I have every reason to believe every Gmail address could have been mined."

Later, Hafif would turn to Google with his findings. He says that Google took a month to fix the bug. They also initially declined to pay him a bounty for the findings, before turning around and awarding him $500. Google confirmed to Wired that they patched the issue and paid a reward, but offered no further information.

Google added the delegation feature at the end of 2010, so it is possible the bug has been in the wild since that time. Because the attack could have been carried out anonymously, as Hafif stated, any number of people could have used it to collect a list of Gmail users.

The good news is that the only information that could be mined because of the bug related to the email address. No personal information or passwords could have been gleaned through the collection process. However, the addresses are ripe for being sold to marketers and used for other purposes.

On the Trustwave blog, Hafif explains just how valuable an email address is. Pieced together with other bits of information gathered elsewhere or used in attacks, they can yield other tidbits of personal data or even result in an account take over.

When the reach of a Gmail account or the use of an email address as a login is considered, it can be recognized as an important identifier to an individual. Given the pervasiveness of Google and Gmail, a hacker possessing a Gmail email address can lead to any number of things. Unlike a password, the email address is a permanent identifier that requires more effort to change than a password.

By Electronista Staff
Post tools:




  1. prl99

    Mac Enthusiast

    Joined: 03-24-09

    To be fair to Google (why I don't know), has this also happened to any version of Apple's mail servers? I wonder if Hafif tried the same attack on other email servers and whether he was successful. Since Hafif found it, I'm sure others found it and simply didn't tell Google, harvesting emails to sell to others. I'm glad I dropped my gmail account several months ago but family members refuse to drop theirs even though Google has done all sorts of things to users without a clear understanding it was being done.

  1. Charles Martin

    MacNN Editor

    Joined: 08-04-01

    The story makes clear that the vulnerability came about as part of Gmail's "delegation" feature, which they implemented in 2010. I'm not saying all other email systems are immune to similar attacks, but this attack appears to have relied on a feature Google developed for its Gmail system.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill the ...

Lenovo Yoga Tablet 2 (Android, 10.1-inch)

Lenovo is building a bigger name for itself year after year, including its devices expanding beyond desktop computers. The company's l ...

Brother HL-L8250CDN Color Laser Printer

When it comes to selecting a printer, the process is not exactly something most people put a lot of thought into. Printers are often t ...



Most Commented


Popular News