All Gmail users’ addresses could fall into hands of cyberswindlers.
Google corrected the vulnerability which allowed spam mailings authors to learn addresses of all Gmail users last week. According to SecurityAffairs data, about half a billion data could fall into hands of cyberswindlers.
The IB-expert from Trustwave Oren Hafif has found the gap existed in Gmail for some years. Thus for such a dangerous scam detection the remuneration only in $500 was paid to the expert. Google spent about a month to correct vulnerability.
The information on vulnerability was published only after the search giant let out correction. According to Hafif, the scam existence was unknown in Google. Malefactors could operate vulnerability also for phishing campaigns realization and passwords recovery to any accounts.
The scam existed because of possibility of giving access to other users’ account. In particular, it is a question of URL inquiry modification to the Gmail service. So, using simple application the cybercriminal could touch automatically office symbols in URL inquiry to someone else's account. It allowed to learn the user‘s full address.
Having written own application, Hafif learned 37 000 accounts addresses in only 2 hours search of symbols in inquiry.
It should be noted that initially Google wasn't going to pay remuneration for vulnerability detection. Besides, the sum of $500 is very small, considering the amount of the remunerations paid according to Google‘s corporate policy.
110 Reykjavik, Iceland