Google has patched a vulnerability that exposes an indefinite number of Gmail addresses, a potential gold mine for phishing and advanced attacks.

Researcher Oren Hafif of Israel disclosed details on how he was able to abuse a token exposed in a URL in order to reveal every Gmail address. His work earned him $500 through Google’s bug bounty program, he said.

“I bruteforced a token in a Gmail URL to extract all of email addresses hosted on Google,” Hafif wrote on his personal blog.

Hafif began through Google’s Gmail delegation feature which allows an account holder to delegate access to others merely by adding another account in the settings tab. The process returns a verification email indicating that access is pending either a click on an accept or rejection link embedded in the message. The two URLs are nearly identical, minus a couple of important differences that Hafif was able to take advantage of.

Accept: https://mail[.]google[.]com/mail/mdd-f560c0c4e1-oren.hafif%40gmail.com-bbD8J0t6P6JNOUO36vY6S_pZJy4

Reject: https://mail[.]google[.]com/mail/mda-f560c0c4e1-oren.hafif%40gmail.com-bbD8J0t6P6JNOUO36vY6S_pZJy4

In either case, Google does not return the delegation email address in the URL, Hafif said, meaning that something in the URL represents the address. There are specific areas Hafif concentrated on in the URL. First the mdd and mda mapping, which indicates mail delegation accept or deny. Next was the sequence of characters immediately following the mapping that he surmises is the authentication token. And finally, the sequence of characters at the end of the URL, which he said is some sort of “encoded blob.”

Hafif said he first tampered with the encoded bits in the URL and it still returned the email address being delegated.

Hafif said he first tampered with the encoded bits in the URL and it still returned the email address being delegated. Next came the token, which as it turned out, was the key to the puzzle.

“So I start a bruteforce – and what do you know… I get email addresses, lots of lots of email addresses. So many email addresses that every single tool I use for the bruteforce collapses,” Hafif wrote. “So I write my own multithreaded script in ruby – which is not as fast as I want.”

Hafif, who is a researcher with Trustwave’s SpiderLabs, also noticed that many of the email addresses were not Gmail addresses. He said he deduced that they were businesses using Google Apps as a mail service, a worrisome exposure.

“That is actually a pretty hot topic right now. Should we move to the cloud? Should we use Gmail as our organizational email manager?” Hafif wrote. “As the argument about the future of enterprise email goes on with a focus on security – leakage of organizational emails might assist attackers in their spear-phishing attacks and eventually expose the company to advance persistent threats.”

Eventually, Hafif said he turned to an OWASP tool call DirBuster used to bruteforce directories, but which also contains a URL fuzzer. By loading a custom-built Ruby dictionary of all 10-HEX character long token combinations into DirBuster, he was able to obtain all valid tokens, which he was able to convert into valid email addresses using Burp Intruder, a web application attack tool.

As Hafif points out, email addresses have significant value to attackers not only because they can be used in phishing and spam campaigns, but also because they are often used as a user name. Changing a password is relatively simple compared to changing an email address, he said.

“Your email address is being used for authentication everywhere,” he said. “If it has been exposed, it can be used to access your Google account, Facebook account or trying to hack into your smartphone via your Apple Id or your Google Play account name.”

Categories: Hacks, Vulnerabilities