Google patched a critical vulnerability on Wednesday that could expose every email account within Google’s Gmail directory. Such a leak could lead to advanced attacks for spammers, malicious hackers, and phishers.

Security researcher, Oren Hafif, uncovered details on how he was able to abuse a token exposed in a Google URL that could reveal every single Gmail address. Hafif was rewarded $500 through Google’s bug bounty program.

“I bruteforced a token in a Gmail URL to extract all of email addresses hosted on Google,” Hafif reported on his personal blog.

Hafif discovered the vulnerability while digging through Gmail’s delegation feature, which allows the email administrator to delegate access to other users by adding another account into the gmail settings tab. When such a process is activated, gmail returns a verification email stating that an access email for the other party is awaiting to be accepted or denied. Inside the email there are two links embedded, one to accept, and another to deny. The two URLs are almost identical, minus the important differences Hafif was able to utilize in his testing. The two URLs were:

Accept: https://mail[.]google[.]com/mail/mdd-f560c0c4e1-oren.hafif%40gmail.com-bbD8J0t6P6JNOUO36vY6S_pZJy4

Reject: https://mail[.]google[.]com/mail/mda-f560c0c4e1-oren.hafif%40gmail.com-bbD8J0t6P6JNOUO36vY6S_pZJy4

In both links, Google does not return the email address in the URL, Hafif posted on his blog, meaning that something inside the URL represents the email address. Hafif analyzed different sections of the URL separately. First he focused on the mdd and mda mapping, which indicates the accept or deny for access to the email. Next he focused on the sequence of characters that follow the mapping that he states is the authentication token. Finally he analyzes the sequence of characters at the end of the URL, which he described as some sort of “encoded blob.”

The researcher said he first started to tamper with the encoded bits inside the URL and it still returned the email address voluntarily giving access. Next came the token, which held the gaping vulnerability.

“So I start a bruteforce – and what do you know… I get email addresses, lots of lots of email addresses. So many email addresses that every single tool I use for the bruteforce collapses. So I write my own multithreaded script in ruby – which is not as fast as I want,” Hafif reported.

Hafif also noticed many of the discovered email addresses were not associated with Gmail. He concluded that they were businesses using Google Apps mail service, an attacker gaining access could be detrimental for any company.

“That is actually a pretty hot topic right now. Should we move to the cloud? Should we use Gmail as our organizational email manager?” Hafif wrote. “As the argument about the future of enterprise email goes on with a focus on security – leakage of organizational emails might assist attackers in their spear-phishing attacks and eventually expose the company to advance persistent threats.”

Hafif stated he turned to an open web application security project (OWASP) called DirBuster, and utilized the tool to bruteforce directories within Google, the tool also contains a URL fuzzer. While loading his custom-built Ruby dictionary of all 10-HEX character long token combinations into DirBuster, Hafif was able to obtain all valid tokens with inside Google, which he then was able to convert into valid email addresses using web application attack tool tool named, Burp Intruder.

Hafif pointed out that email addresses are of significant value to attackers, they can be used for phising, spam, and various other malicious campaigns.

“Your email address is being used for authentication everywhere,” Hafif said. “If it has been exposed, it can be used to access your Google account, Facebook account or trying to hack into your smartphone via your Apple Id or your Google Play account name.”