Massive flaw could have exposed every Gmail user’s address

[NoBody]

White-hat hacker found exploit that could allowed him to collect every gmail address registered. No passwords, no anything else, just addresses. Still, that list could be worth millions on black market, but Google gave him only 500$ for finding the exploit.

 

 

 

However, before Hafif notified Google, he successfully retrieved some 37,000 addresses from the system.

 

 

A Google spokesperson confirmed to Wired that the company had repaired the bug and awarded him some financial compensation. However, Google did not respond to any further requests for comment.

 

 

 

Google rewarded Hafif with $500 – which some commentators deemed to be very low considering the work he did.

“Being a good person is not very profitable these days ,” Hafif posted on Twitter on Thursday.

 

 

I think Google could be more fair in this one.

 

 

Source:

 

 

http://www.timesofisrael.com/israeli-expert-saves-gmail-from-killer-hack/

 

http://rt.com/news/165552-gmail-bug-users-address/

[StingBull]

Prepare for incoming spam...

[Guest]

Wow, I've seen Google+ , but i've never seen them be such assholes before.

[H4X3R]

That's mean. He deserves at least 10K.

[Nineshadow]

At least they gave him something that isn't prison.

A Romanian hacker once discovered an exploit in Google security's system and then he went to jail D: .

[XzzDSA]

It's difficult to figure out what is fair tbh.. Wouldn't surprise me if he didn't get anything at all. After all it's general feedback from a customer...
It's more than fair, and the fact they even paid him anything for it I think is great.

It all comes down to if he plans on using these 37k gmail accounts for anything..... 

[XzzDSA]

At least they gave him something that isn't prison.

A Romanian hacker once discovered an exploit in Google security's system and then he went to jail D: .

Depends on what he did with the flaw - if he exposed it for anyone to use, I could imagine google wouldn't be very happy about him.

[AnnoyedShelf]

Honestly, Gmail's spam filter is so good that I haven't seen a spam message in my main mailbox for about 6 years.... So yeah, not worried at all.

[Linus_torvalds]

I hate white hackers!   see he could make much money on black market but he helped google and they gave him only 500$   

 

Pirates are real hackers. Who give us free games. why the fuck i must pay 60$ for shit like watch dogs and etc. if they were making games like CRYSIS 3 or BF4 i would buy but for shit like NFS rival. racing game that does not support racing wheel facepalm!  It's locked at 30 FPS and does not have pause LOL

 

God Bless Pirates!!!

[Guest Generallee]

I hate white hackers!   see he could make much money on black market but he helped google and they gave him only 500$   

 

Pirates are real hackers. Who give us free games. why the fuck i must pay 60$ for shit like watch dogs and etc. if they were making games like CRYSIS 3 or BF4 i would buy but for shit like NFS rival. racing game that does not support racing wheel facepalm!  It's locked at 30 FPS and does not have pause LOL

 

God Bless Pirates!!!

 

I don't think you understand the ethics behind being a white hat, also  you are mixing the Warez scene with black hats.

 

There are pirates who crack a game's launcher and bypasses the security check. They don't get anything in return.

 

There are "pirates" who are named so because they torrent games or movies.

 

There are pirates who infiltrate and compromise million dollars networks, those are real black hats. They don't do it for fun, they do it for money.

 

There are script kiddies, 14yo who just learned how to crack WEP's and are already shitting themselves.

 

Stop calling everyone a pirate

[Linus_torvalds]

I mean those pirates who upload games until they have come out. or after they come out and who cracks it. one guy on guru3D makes watch dogs look like it was in 2012 at E3  

 

thanks to Fenix who cracked BF3 so everyone can make his own server right on his desktop like i had! (i got bored) i had ping 0! on my server that was funny. 

 

thanks who cracks windows and programs. i would have payed 100-300$ for shitty windows (even free UBUNTU 14.04 beats it in every aspect except gaming but not for long) and 1000$ for other software. 

[flibberdipper]

He deserves at least $10,000, to be honest. Since I use GMail as my main email, I'm honestly disappointed that they gave him that little to save my email's security and 37,000 others. Fuck you Google.

[WanderingFool]

It is clearly stated the value that you would be given if you find a common web-problem

 

http://www.google.ca/about/appsecurity/reward-program/

 

To be honest $500 isn't that bad for just being able to get gmail usernames...it isn't like much was compromised

[Askew]

my address is fake so I don't care

[NoBody]

It is clearly stated the value that you would be given if you find a common web-problem

 

http://www.google.ca/about/appsecurity/reward-program/

 

To be honest $500 isn't that bad for just being able to get gmail usernames...it isn't like much was compromised

 

If someone creates full list of accounts... Trust me, its bad. Not necessarily from the user's point of view but as someone who does IT security, this is major flaw. Especially when you're talking about one of the largest email providers. 

 

If that list would for example go public, suddenly every script kiddie can sent bunch of spam to gmail servers and in result, google servers have additional unnecessary load and traffic + spam filters get less accurate (more people sending -> more chance for spam filter to fail and more time for google to detect it).

 

And that is only one of possible scenarios. Don't forget that people can get very creative with that kind of list.

[minimalist]

I wonder if he could have gotten more than $500 on the black market for the information he found. Apparently, that's what Google wants people to consider when they find something like this.

[Misanthrope]

So I'd be more exposed

 

*looks at gmail*

 

-17 spam emails

-50 "social" updates

-50 "promotion" mails

 

And this is taking into account that this is supposed to be my "clean" email: I keep a yahoo account for all mail I suspect will be spam....

 

So....yeah it's almost impossible to use an email without spam, you need 2 or 3 or 4 accounts anyway. I can't imagine things getting much worst.

[Sonefiler]

So I'd be more exposed

 

*looks at gmail*

 

-17 spam emails

-50 "social" updates

-50 "promotion" mails

 

And this is taking into account that this is supposed to be my "clean" email: I keep a yahoo account for all mail I suspect will be spam....

 

So....yeah it's almost impossible to use an email without spam, you need 2 or 3 or 4 accounts anyway. I can't imagine things getting much worst.

Use google priority mail and actually flag things as spam. I did this for about a week and now all the important emails are in my inbox and everything else I never even look at.

[EpicGeekonFire]

Watch him go Black Hat tomorrow, just because Google had to go full fgt. 

[Morpheus]

this has been posted before i'm pretty sure...

[Guest Generallee]

This is a dictionary generated list jeez calm your tits everyone

 

Not like some nuclear missile launch codes or something

[NoBody]

So I'd be more exposed

 

*looks at gmail*

 

-17 spam emails

-50 "social" updates

-50 "promotion" mails

 

And this is taking into account that this is supposed to be my "clean" email: I keep a yahoo account for all mail I suspect will be spam....

 

So....yeah it's almost impossible to use an email without spam, you need 2 or 3 or 4 accounts anyway. I can't imagine things getting much worst.

 

I actually know a solution for you haha. If you use chrome, go get extension "MaskMe" (https://chrome.google.com/webstore/detail/maskme/dpkiidbpeijnaaacjlfnijncdlkicejg)

Basically what it does, it offers you to "mask" your email address at registration forms (you can manually create masked address it too). The way it works is: for example you want to register to a random forum -> you get on registration page -> at entering email address extension asks you if you want to use your real email or a masked one. If you choose a masked one, extension creates new xxxxxxx@opayq.com email address just for this site. When forum sends you confirmation link on masked email, it will forward it to you on your real address. If you see that this address is spaming you, you just click do not forward this masked email anymore. Say goodbye to spamers haha And the best thing is, you can see who is abusing their database

I found this extension a year ago and its GOLD for me, can not live without it . Surprisingly no one knows about it...

[Misanthrope]

I actually know a solution for you haha. If you use chrome, go get extension "MaskMe" (https://chrome.google.com/webstore/detail/maskme/dpkiidbpeijnaaacjlfnijncdlkicejg)

Basically what it does, it offers you to "mask" your email address at registration forms (you can manually create masked address it too). The way it works is: for example you want to register to a random forum -> you get on registration page -> at entering email address extension asks you if you want to use your real email or a masked one. If you choose a masked one, extension creates new xxxxxxx@opayq.com email address just for this site. When forum sends you confirmation link on masked email, it will forward it to you on your real address. If you see that this address is spaming you, you just click do not forward this masked email anymore. Say goodbye to spamers haha And the best thing is, you can see who is abusing their database

I found this extension a year ago and its GOLD for me, can not live without it . Surprisingly no one knows about it...

 

I used to have an even better extension way back called "bugmenot" which basically made generic login credentials available to all. This sounds like a good option, specially since my spam email is really getting out of control (1446 unread emails, all of it fucking spam)

[Atlantisman]

Hey, most companies would have sued him into oblivion, so at least there's that.

[JaeDee884]

All good haven't updated my email address in years ;-)