Google Fixes Bug That Could Have Revealed Every Gmail E-mail Address


According to a report in Wired a major bug in Google’s Gmail service that would have exposed every Gmail e-mail address in the world has been discovered by a security researcher based in Israel. The bug has been fixed by Google but it could have existed for years.
Tel Aviv-based security researcher Oren Hafif “helped fix a bug in Google’s Gmail service that could have been used to extract millions of Gmail addresses, if not all of them, in a matter of days or weeks,” the report says. While the bug wouldn’t have put passwords at risk, what it would have done is made users more vulnerable to spam, phishing attacks and other unpleasant emails.  Hafif was quoted as saying, “I could have done this potentially endlessly. I have every reason to believe every Gmail address could have been mined.”
Hariff discovered that the “delegate” access to account feature of Gmail could easily be exploited. He found that “he could tweak the URL of a webpage that appears when a user is declined that delegated access to another user’s account.” By simply changing one character in the URL page, he got access to different accounts and with a software he was able to get 37,000 Gmail addresses in 2 hours, adds the report.