An error in Gmail that might have shown millions of valid email accounts


When you invite someone to manage our email account, you will receive an email with two options: one to accept action and another to resign. Clicking on that second url a similar to that shown in lower catch, which shows email that we have rejected message access.

So far, so normal, problem came when someone altered character of url, since in that case there was a chance of receiving message from a different account, showing direction of some random email account.

What made ​​Oren Hafif in November 2013, a professional working in Israeli security firm Trustwave, was to create a small script (you can see in video below and in this article ) that altered characters and automatically obtained addresses generated. The result: 37,000 got real email accounts in less than 2 hours.

This problem, which resolved after Google Oren Mark it has remained so for a long time, as discussed in Wired , so do not know if anyone has used to obtain millions of email accounts, accounts that have great value on black market of spam, phishing and other attacks via email.

Oren wanted reward that Google offers that detect errors in their platforms, but in this case only got $500 after insisting item as apparently Google did not want to consider it as “scheduling problem” itself.