vincian Posted May 3, 2014 Share Posted May 3, 2014 I would like to share this one recent bug i found in gmail. It allows sending a list of about 200 email addresses and validates them if they exist in the google DB or not. This validator script is used by gmail while registering new users (ajax request is sent which shows whether entered email is available or not while user is filling up fields). Its simple XSS. Anyone can send a request containing multiple usernames and gmail replies with answer for every single of them whether it exists or not. Here is my oroginal post and description: http://vincian.blogspot.in/ http://vincian.tx0.org/links/gmail_email_validation.html Just thought of sharing it with hak5 :-) Quote Link to comment Share on other sites More sharing options...
vincian Posted May 6, 2014 Author Share Posted May 6, 2014 (edited) Almost 200 views and no reply .. WTH! Edited May 6, 2014 by vincian Quote Link to comment Share on other sites More sharing options...
cooper Posted May 6, 2014 Share Posted May 6, 2014 Well, yeah. Everybody and their cat is on gmail. Eat a bowl of alfabet soup, throw up and look at the letters on the floor. Chances are, that's a gmail user id. So what can you do with this? It's a starting point to hack a complete stranger. But what would be the point of that? In my country there's this bank called ING. Their bank account IDs are different from the 'regular' banks - it's just a number. No checksum gets calculated to compute a verification digit at the end so it's more than reasonable to expect people to make a mistake while typing in the number of the account they want to transfer money to. When you say you want to transfer money to account X you need to name the recipient. When that name differs from what the bank has as registered account owner, you get a prompt saying "The account you entered is owned by SOANDSO, is this who you want to transfer your funds to?". A classic case of information disclosure I think you'd agree. The only requirement to get such a response is that you provide at least 3 characters in the account name field. It doesn't have to match SOANDSO's name in any way, shape or form to trigger such a response. A few years ago someone spent the time to index a large chunk of account numbers with their owners using this method and called the press, screaming "Fire!". The bank's response was to effectively shrug their shoulders and say knowing this information doesn't gain you anything, so what's the problem? And this was deemed by pretty much everybody to be a valid response. Your bank account number is hardly a secret. Sure, unless you're a business you don't list it on every page of your website, but since it can typically only be used to transfer money TO the account owner (for you to be able to transfer FROM the account the owner needs to provide written consent to the bank), no real harm to do here. So let's just ask the question here: Say you know the valid GMail address of someone, what would you do from that point that benefits you at least more than it bothers the owner? Quote Link to comment Share on other sites More sharing options...
vincian Posted May 6, 2014 Author Share Posted May 6, 2014 Hey.. I never said it is a BIG security issue. Its just something which i think is interesting, validating 200 emails in one request. Quote Link to comment Share on other sites More sharing options...
cooper Posted May 6, 2014 Share Posted May 6, 2014 Question remains: now that you have a valid gmail adress, what can you do now? Where do you go next? Quote Link to comment Share on other sites More sharing options...
vincian Posted May 6, 2014 Author Share Posted May 6, 2014 haha.. spam them :P, Auto-Spam the valid emails. Quote Link to comment Share on other sites More sharing options...
digininja Posted May 13, 2014 Share Posted May 13, 2014 Where is the XSS part of this? I can see the validation bit but no XSS. Quote Link to comment Share on other sites More sharing options...
cooper Posted June 23, 2014 Share Posted June 23, 2014 According to this wired article some Israeli found a similar and far less effective means of doing the same thing. He got $500 for it (after a bit of prodding). My suggestion to you would be to try the same. The one you've discovered is most certainly worse than the one he has... Quote Link to comment Share on other sites More sharing options...
digininja Posted June 29, 2014 Share Posted June 29, 2014 Don't know the google terms and conditions but with most, if you've already disclosed, then they won't pay out. Quote Link to comment Share on other sites More sharing options...
vincian Posted July 1, 2014 Author Share Posted July 1, 2014 (edited) digininja: i posted it here and blogged it only after disclosing to them. they made changes right away ( limiting no. of requests in a timeframe) and that's all. :( Cooper: I can certainly generate more emails than "37,000 Gmail addresses in about two hours" (http://www.wired.com/2014/06/gmail-bug-could-have-exposed-every-users-address/). I'll just have to use tor and hop to different exit nodes according to time-frame of gmail's replies. Edited July 1, 2014 by vincian Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.