Flaw in Gmail which exposed email address of every user

Share it:
Almost every one of you use Gmail service and moreover they are connected with your other online accounts mostly Social accounts, and if you are using a default or same password for all accounts. What will you do if you have a tonnes of emails and have access to them.

A Israel security researcher, "Oren Hafif”  have fond a vulnerability in the Gmail system which allow to extract all of the email addresses from its database including internal email addresses. Oren found a bug in the Gmail delegation system, which is used to authenticate any other person to use the same account you using.

Hafif says that Loop hole was actually in the URL sent by Google Systems to authenticate other email address to access account:
Gmail leaked, hacking Gmail, Hack gmail, hacking google
As you can see above, there are two URLs one for accept the invitation and second for Rejection.

After close look on the URL, Hafif divide the URL in 5 parts
https://mail.google.com/mail/mdd-f560c0c4e1-oren.hafif%40gmail.com-bbD8J0t6P6JNOUO36vY6S_pZJy4
  1. The first part “https://mail.google.com/mail/", is just the normal mapping to the Gmail application.
  2. The second “/mdd” is the mapping for the mail delegation deny servlet.
  3. What does “f560c0c4e1” stand for? It looks like a token. There is some hope here, as this one is so short and it’s hexadecimal 
  4. My email address – oren.hafif%40gmail.com
  5. What does “bbD8J0t6P6JNOUO36vY6S_pZJy4” stand for? It looks like an encoded blob. This is normally a BAD sign as Google loves to HMAC request URLs and that could be a giant “pain in the scans”.
He has test the URL on the Brute Force Tool. He used the URL to FUZZ “/mail/mdd-{dir}-support@google.com-O6xUbWXP7hm8GaZGUetuk5f9vlU,” andthe Dictionary hold all 10-character long combinations of such an HEX-string.


As we all know that Google Anti-bot gives you error message on the screen after too many of invalid request. so to bypass it he uses Google support mail (instead of his own mail address). After blocking the string by Google he alternately change the string with one other, and with this he has managed to gain all the tokens. To translate the tokens to email address he has used Burp's intruder tool. 

Gmail leaked, hacking Gmail, Hack gmail, hacking google

This way he has managed to gain all the email address from the Google database. For vulnerability demonstration he has posted a video also, that you can check below.
Share it:

Google

Research

Vulnerability

Post A Comment:

1 comments:

  1. Hello everyone, if you need to boost your credit score excellently within a short period, hack a cell phone, computer or raise your grades (at any level or institution), contact finessehackers@gmail.com

    Hes reliable and efficient, and my life has changed drastically since his assistance with my poor credit.
    I can't thank him enough, say Kimberly referred you he'll help.

    ReplyDelete

Follow by Email