Jump to content

Gmail Bulk-Email Validation bug


Recommended Posts

I would like to share this one recent bug i found in gmail.

It allows sending a list of about 200 email addresses and validates them if they exist in the google DB or not.

This validator script is used by gmail while registering new users (ajax request is sent which shows whether entered email is available or not while user is filling up fields).

Its simple XSS.

Anyone can send a request containing multiple usernames and gmail replies with answer for every single of them whether it exists or not.

Here is my oroginal post and description:



Just thought of sharing it with hak5 :-)

Link to comment
Share on other sites

Well, yeah. Everybody and their cat is on gmail. Eat a bowl of alfabet soup, throw up and look at the letters on the floor. Chances are, that's a gmail user id.

So what can you do with this? It's a starting point to hack a complete stranger. But what would be the point of that?

In my country there's this bank called ING. Their bank account IDs are different from the 'regular' banks - it's just a number. No checksum gets calculated to compute a verification digit at the end so it's more than reasonable to expect people to make a mistake while typing in the number of the account they want to transfer money to. When you say you want to transfer money to account X you need to name the recipient. When that name differs from what the bank has as registered account owner, you get a prompt saying "The account you entered is owned by SOANDSO, is this who you want to transfer your funds to?". A classic case of information disclosure I think you'd agree. The only requirement to get such a response is that you provide at least 3 characters in the account name field. It doesn't have to match SOANDSO's name in any way, shape or form to trigger such a response.

A few years ago someone spent the time to index a large chunk of account numbers with their owners using this method and called the press, screaming "Fire!". The bank's response was to effectively shrug their shoulders and say knowing this information doesn't gain you anything, so what's the problem? And this was deemed by pretty much everybody to be a valid response. Your bank account number is hardly a secret. Sure, unless you're a business you don't list it on every page of your website, but since it can typically only be used to transfer money TO the account owner (for you to be able to transfer FROM the account the owner needs to provide written consent to the bank), no real harm to do here.

So let's just ask the question here: Say you know the valid GMail address of someone, what would you do from that point that benefits you at least more than it bothers the owner?

Link to comment
Share on other sites

  • 1 month later...

According to this wired article some Israeli found a similar and far less effective means of doing the same thing. He got $500 for it (after a bit of prodding). My suggestion to you would be to try the same. The one you've discovered is most certainly worse than the one he has...

Link to comment
Share on other sites

digininja: i posted it here and blogged it only after disclosing to them.

they made changes right away ( limiting no. of requests in a timeframe) and that's all.


Cooper: I can certainly generate more emails than "37,000 Gmail addresses in about two hours" (http://www.wired.com/2014/06/gmail-bug-could-have-exposed-every-users-address/).

I'll just have to use tor and hop to different exit nodes according to time-frame of gmail's replies.

Edited by vincian
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...