Israeli Hacker Saves Gmail From ‘Killer’ Security Flaw

By David Shamah, The Times of Israel June 15, 2014 Comments

Oren Hafif, an Israeli “white hat” hacker, discovered a serious security flaw in Gmail which could have compromised all 500 million accounts and allowed hackers to access users’ mail accounts and all Web services that use Google’s authentication system. Hafif discovered the vulnerability, documented it, successfully tried it out and told Google about it. Google gave him a $500 reward, as part of its Bug Bounty program.

Hafif, a member of the elite security team at the Israeli office of Trustwave, a Chicago-based security company, consults with businesses large and small to detect security holes in their systems — getting to the bugs, his clients hope, before hackers can discover and exploit them. According to Hafif, “with knowledge gathered from over 300 penetration tests and security audits for almost any service line out there (finance, telecom, healthcare, transportation, etc), helping my clients become more secure is my goal.”

Related articles:

Fortunately for Google, Hafif was on the job this week, when what he termed the “One Token to Rule Them All” exploit was uncovered. Gmail, is not just an abbreviation for “Google Mail,” as most people suppose it is; it stands for Global Main Authentication and Identification Library, and “is used everywhere from sites like Facebook and Twitter to online banking. Owning your Gmail account is a hacker’s dream because it means all other accounts are now in reach,” Hafif said in a blog post.

Although the bug would not have exposed Gmail passwords to hackers, it would have exposed to them authentic addresses using the Google platform — almost half the battle in getting access to an account, because those addresses could be used in hacker scripts that try to guess passwords. Once the passwords were discovered, the authentication information could be used to access all services that use Google’s authentication system.

The hack involves using a security token issued by Google to generate a list of Gmail-platform addresses. The token is a string of text and numbers so valuable that Hafif calls it “my precious token.” By changing one character in the token, he said, he was able to mine 37,000 Gmail addresses. Had he wanted to, “I could have extracted all of the email addresses hosted on Google” in a matter of weeks, or even days.

This article was first published on The Times of Israel and was re-posted with permission. To continue reading this article on the TOI site, click here.

Photo:  mikael altemark

Facebook Comments
image description
image description
Load more