Oren Hafif, an Israeli “white hat” hacker, discovered a serious security flaw in Gmail which could have compromised all 500 million accounts and allowed hackers to access users’ mail accounts and all Web services that use Google’s authentication system. Hafif discovered the vulnerability, documented it, successfully tried it out and told Google about it. Google gave him a $500 reward, as part of its Bug Bounty program.
Hafif, a member of the elite security team at the Israeli office of Trustwave, a Chicago-based security company, consults with businesses large and small to detect security holes in their systems — getting to the bugs, his clients hope, before hackers can discover and exploit them. According to Hafif, “with knowledge gathered from over 300 penetration tests and security audits for almost any service line out there (finance, telecom, healthcare, transportation, etc), helping my clients become more secure is my goal.”
Fortunately for Google, Hafif was on the job this week, when what he termed the “One Token to Rule Them All” exploit was uncovered. Gmail, is not just an abbreviation for “Google Mail,” as most people suppose it is; it stands for Global Main Authentication and Identification Library, and “is used everywhere from sites like Facebook and Twitter to online banking. Owning your Gmail account is a hacker’s dream because it means all other accounts are now in reach,” Hafif said in a blog post.
Although the bug would not have exposed Gmail passwords to hackers, it would have exposed to them authentic addresses using the Google platform — almost half the battle in getting access to an account, because those addresses could be used in hacker scripts that try to guess passwords. Once the passwords were discovered, the authentication information could be used to access all services that use Google’s authentication system.
The hack involves using a security token issued by Google to generate a list of Gmail-platform addresses. The token is a string of text and numbers so valuable that Hafif calls it “my precious token.” By changing one character in the token, he said, he was able to mine 37,000 Gmail addresses. Had he wanted to, “I could have extracted all of the email addresses hosted on Google” in a matter of weeks, or even days.
It should be noted that many of the service’s addresses do not use @gmail.com as their domain address. Google’s business programs allow companies to use their own domain names and host them on Google servers. These, too, said Hafif, would have been vulnerable to the hack.
That should concern businesses that use the Gmail platform, since the issue of Google’s security “is actually a pretty hot topic right now,” he said. “Should we move to the cloud? Should we use Gmail as our organizational email manager? As the argument about the future of enterprise email goes on with a focus on security, leakage of organizational emails might assist attackers in their spear-phishing attacks and eventually expose the company to advance persistent threats,” he said. “My precious token can get them all, even if you never gave your email address to any single living creature. Private emails or business email addresses with your organization’s domain, all are mine. If you consider some of your employees and executives email addresses confidential, that’s a problem.”
Hafif is a white hat hacker, who uses his “powers” for good by hacking to eliminate security threats, as opposed to “black hat” hackers, who do the opposite. As such, he reported the bug to Google, which took immediate action to fix it. “The Google security team fixed the vulnerability and rewarded me with a $500 bounty.”
Numerous commenters on the blog post expressed shock at what they considered the very small amount of money awarded Hafif for mitigating what could have been a major security breach, which may have been there for years. “I can’t believe Google are such cheap #%@#%@,” wrote one commenter. The post went on to say that they should have given Hafif a lot more, given “the collateral macro level damage that would have been caused by leaking their entire email database and the damage to Google’s reputation.” Others called the reward “hilarious” and “shameful.”
“Thanks for the compliments,” Hafif responded, adding that while he would have liked more money, he could understand why Google was keeping a low profile about this, even though the security flaw here was much more serious than the ones they usually uncover. “They probably understand that this case is different. However, explaining this over and over again might be overwhelming. Always look at the wider picture. I mean, I am speculating, but who knows?”
Click below to see a video of Oren Hafif explaining the Gmail bug he discovered: