Almost every one of you use Gmail service and moreover they are connected with your other online accounts mostly Social accounts, and if you are using a default or same password for all accounts. What will you do if you have a tonnes of emails and have access to them.
A Israel security researcher, "Oren Hafif” have fond a vulnerability in the Gmail system which allow to extract all of the email addresses from its database including internal email addresses. Oren found a bug in the Gmail delegation system, which is used to authenticate any other person to use the same account you using.
Hafif says that Loop hole was actually in the URL sent by Google Systems to authenticate other email address to access account:
As you can see above, there are two URLs one for accept the invitation and second for Rejection.
Hafif says that Loop hole was actually in the URL sent by Google Systems to authenticate other email address to access account:
As you can see above, there are two URLs one for accept the invitation and second for Rejection.
After close look on the URL, Hafif divide the URL in 5 parts
https://mail.google.com/mail/mdd-f560c0c4e1-oren.hafif%40gmail.com-bbD8J0t6P6JNOUO36vY6S_pZJy4
- The first part “https://mail.google.com/mail/", is just the normal mapping to the Gmail application.
- The second “/mdd” is the mapping for the mail delegation deny servlet.
- What does “f560c0c4e1” stand for? It looks like a token. There is some hope here, as this one is so short and it’s hexadecimal
- My email address – oren.hafif%40gmail.com
- What does “bbD8J0t6P6JNOUO36vY6S_pZJy4” stand for? It looks like an encoded blob. This is normally a BAD sign as Google loves to HMAC request URLs and that could be a giant “pain in the scans”.
He has test the URL on the Brute Force Tool. He used the URL to FUZZ “/mail/mdd-{dir}[email protected],” andthe Dictionary hold all 10-character long combinations of such an HEX-string.
As we all know that Google Anti-bot gives you error message on the screen after too many of invalid request. so to bypass it he uses Google support mail (instead of his own mail address). After blocking the string by Google he alternately change the string with one other, and with this he has managed to gain all the tokens. To translate the tokens to email address he has used Burp's intruder tool.
This way he has managed to gain all the email address from the Google database. For vulnerability demonstration he has posted a video also, that you can check below.