How Secure is Your Email Address?

    Over the years I have had many different email accounts.  The deciding factors to make me change accounts was how much junk email or spam  I received and if there were any security concerns with my current email provider.  Recently Gmail was discovered to have a new security vulnerability.  This vulnerability put an indefinite number of Gmail addresses as well as business emails at risk.  Why is gaining an unlimited amount of Gmail addresses so valuable?  The reason this vulnerability is important is because it allows the attacker to send phishing campaigns and targeted attacks to an unlimited amount of users.  This guarantees that the attacker will have a higher amount of victims.

    The vulnerability allows an attacker to gain access to a list of Gmail addresses.  This discovery was made by Oren Hafif, a researcher at Trustwave's SpiderLabs.  He reported the vulnerability to Google, who has since fixed it.  One may ask how was this vulnerability even possible?  Hafif found a token exposed in a URL and was able to expose every Gmail address.  The URL token was found when using Gmail's delegation feature.  When an account user delegates that account to allow another person to access it, the delegated party has to accept or decline the delegation via an embedded URL link.  These links were nearly identical, the only difference was one link included /mdd (mail delegation deny servlet) while the other included /mda (mail delegation accept servlet).  He then researched URLs that Google used and determined that the sequence which followed mda and mdd was being used as an authentication token. 

    With the authentication token Hafif started running a brute force attack and was able to gain so many email addresses that every tool he used to conduct the brute force crashed from the overload.  To overcome this problem he wrote his own multi-threaded script in Ruby.  In addition to Gmail addresses, he discovered he was also obtaining non-Gmail addresses.  These were most likely businesses who were using Google Apps such as a mail service.  Hafif commented on the potential security threats that companies may face when considering if they should move their information to the cloud as many companies have done by choosing Gmail as their organization email manager.  When vulnerabilities like this exist it creates additional potential threats such as spear phishing attacks, advance persistent threats as well as other targeted attacks.  It is important to keep this possible vulnerability in mind when planning security threat mitigation for not only your personal email accounts, but also your company's email accounts.

 

Paganini, P. (2014, June 12). Gmail hacking, a mine of data for phishing and spam attacks. Retrieved June 23, 2014, from Security Affairs: http://securityaffairs.co/wordpress/25676/hacking/gmail-hacking.html