Google pays just $500 bounty for phishing breach risk


lisbon   january 22  2014 ...

How much cash would spammers pay to access all Google's email accounts? Rather more than the $500 Google paid a helpful hacker, Tel Aviv-based Oren Hafif, to patch up its security email arrangements. Hafif discovered a serious flaw in Google's Gmail service, potentially giving him access to all of Google's email accounts.

So, is your Gmail account safe now?

Potentially exposed

Apparently yes: 27-year-old Hafif's discovery - aided by a piece of software called DirBuster - would not have harvested passwords, but it would have exposed huge numbers of people to far more phishing.

By automating character changes, Hafif was able to suck up 37,000 Gmail addresses very quickly. "I could have done this potentially endlessly," Hafif told Wired. "I have every reason to believe every Gmail address could have been mined."

Click here to watch how the super-geek did it. It took Google a month or so for it to attend to the security breach; there is no information on how long the security breach existed - or whether hackers did ultimately breach it at some point.


What can you do to protect yourself now? There's no end of security tips out there. If you're suspicious of unusual Gmail account activity, make sure the web address begins with https:// and not just "http://". This signals your connection to the website is encrypted and more resistant to snooping.

"Click on the details link," says Google, "at the very bottom of the page to find the most recent IP addresses your mail was accessed from, and their associated locations."

Use a long password - the longer the better and mix it up with letters, numbers and symbols. Also, get a grip on your password recovery options. If you forget a password or get locked out, you need a way to slip back into your account.

Mobile needed

"Sometimes you can also add a phone number to your profile," says Google, "to receive a code to reset your password via text message."

Your mobile is also "a more secure identification method than your recovery email address or a security question because, unlike the other two, you have physical possession of your mobile phone."

Earlier this year Google offered $2.7m in bounty to hackers if they could expose any flaws in its Chrome browser.

On Hafif's website, he breaks down the tech process that allowed him in:

Get the delegation deny URL.
Create a dictionary with all 10-HEX-Character-Long-Token combinations. Ruby is awesome for that.
DirBuster in URL Fuzz mode to obtain all valid tokens.
Bypass Google Anti-Bot protection.
Convert tokens to email addresses (for example, with Burp's intruder).
Send Google a file with some of the extracted email addresses.
Get a bounty.