Hackers Could Have Been Abusing This Bug To Get Gmail Addresses For Years
Tel Aviv-based security researcher Oren Hafif discovered the bug and helped Google fix the problem. Before he did that, he experimented, setting up a program that uncovered 37,000 Gmail addresses in about 2 hours, he told Wired.
"I have every reason to believe every Gmail address could have been mined," Hafif told Wired. He added that any business using Google to host its emails was also vulnerable.
The bug involved an account-sharing feature that lets users delegate access to their accounts. Discovering email addresses is as simple as changing a few characters in a URL. Hafif uploaded a how-to video to his YouTube channel.
Hafif reported the bug to Google, who fixed it after about a month. The company paid the security researcher $500 under its bug bounty program, which Hafif thought was a little low.
"Being a good person is not very profitable these days," he said with a smiley face on Twitter.