A Tel Aviv, Israel based security researcher has raised the alarm regarding Gmail, exposing flaws in Google’s Gmail service. He has discovered that Gmail has a sharing feature that allows a user to ‘delegate’ access to their account, by tweaking the web address it was possible to reveal a random user’s email address, and with the help of software called Dirbuster, the researchers were able to collect 37,000 Gmail addresses in under two hours.
“I could have done this potentially endlessly,” says Hafif, an Israel-based penetration tester for internet security firm Trustwave. “I have every reason to believe every Gmail address could have been mined.”
Researchers speculate that the flaw would leave users vulnerable to spam, phishing or password-guessing attacks. However, Mr Hafif believes that it wouldn’t have just affected personal user’s Gmail, as major businesses and even Google itself uses Gmail to manage their trade.
When asked about if the flaw had ever been used, Hafif skeptically said “We’ll never know.”
“Think about how much money a spammer or a country, are ready to pay for a list of all Google accounts?” he added.
A Google spokesman confirms that the email stealing bug has been patched and reaffirmed that the trick would not have exposed passwords.
Mr Hafif was paid $500(€370) by Google for this discovery.