Massive flaw could have exposed every Gmail user’s address

12 Jun, 2014 14:56 / Updated 11 years ago

A gaping security bug in Google’s systems may have been used to unearth millions upon millions of users’ email addresses. The activist claimed it took Google a month to rectify the problem after his report to the company.

Tel Aviv-based security researcher Oren Hafif discovered the bug and has informed Google, which has managed to resolve the problem.

However, before Hafif notified Google, he successfully retrieved some 37,000 addresses from the system.

“I have every reason to believe every Gmail address could have been mined,”
Hafif told Wired.

He uploaded a video tutorial to his YouTube account at the beginning of June.


Hafif accessed a page declaring that his access had been denied towards the end of last year. After changing a single character in the website’s URL, the Gmail page said that he’d been denied access to a different address.

He automated character changes using software called DirBuster. “I could have done this potentially endlessly,” said Hafif.

While passwords weren’t provided, the bug may have left accounts wide open to spam, phishing and password hacking attempts.

Google rewarded Hafif with $500 – which some commentators deemed to be very low considering the work he did.

“Being a good person is not very profitable these days :) ,” Hafif posted on Twitter on Thursday.

A Google spokesperson confirmed to Wired that the company had repaired the bug and awarded him some financial compensation. However, Google did not respond to any further requests for comment.