14 DAY TRIAL // A vulnerability that could have potentially exposed all Gmail addresses has been addressed by Google recently, after a penetration tester disclosed the abuse method to the company.
Identifying the weak spot started with Gmail’s delegation feature, through which a user can allow another one full access to their account.
Oren Hafif of security firm Trustwave started off by analyzing an accept and reject URL sent to the delegate in a verification email. Hafif noticed that both links were similar, but rejecting the offer opened a message with a string in the link that should normally represent the delegated email address.
The researcher decided to analyze the links and break them into several components, such as mapping for accepting or denying the delegation, a set of characters that looked like a token and “an encoded blob” at the end of the string.
By modifying the characters of the token, Hafif noticed that it returned a different delegated address. Bruteforcing the token resulted in getting a flurry of email addresses. “So many email addresses that every single tool I use for the bruteforce collapses,” said the researcher.
Many of the addresses retrieved were not Gmail addresses, which takes the discovery to a different level of magnitude. These actually belonged to businesses relying on Google Apps as an email service.
By using DirBuster, a tool designed for folder bruteforcing, and loading a custom dictionary with all the combination of the token characters, Hafif managed to get the tokens, which were then converted to email addresses using Burp Intruder.
In order to bypass the anti-bot protection from Google, a modification had to be made to the URL pasted into the bruteforce tool, which consisted in providing the “[email protected].” This confused the bot and the requests were no longer blocked, allowing the leaking to continue unhindered.
Unlike passwords, which can be changed, email addresses are permanent and they represent a valuable asset in spam or phishing campaigns.
In his post, the researcher notes that an email address “is being used for authentication everywhere.
“If it has been exposed, it can be used to access your Google account, Facebook account or trying to hack into your smartphone via your Apple Id or your Google Play account name.”
After initially rejecting the bug, Google made a second review and decided to award Hafif with $500 (370 EUR) for his findings.
A video showing the modification of the token is available below: