tl;dr: I discovered a glitch that allowed me to guess, in large number, existing Google accounts addresses that could otherwise be unknown.

DISCLAIMER: it’s just bruteforce that wasn’t properly rate-limited, nothing too fancy, so if you’re looking for some juicy 0day please pass along 😉

The glitch

The non rate-limited URL is https://mail.google.com/mail/gxlu. I noticed that providing an non existant user/e-mail will trigger a different header response from the server. For example here with a valid account you’ll get:

And with a non existant account:

The two requests will show equivalent HTTP 204 No Content replies but a request against an existing account the server shall add a Set-Cookie header.

Guessing valid addresses

So obviously I decided to write a Python script to abuse this… 😏

The main idea was to lookup for firstname.lastname@gmail.com addresses that are likely to exist. First step: getting a list of known firstnames and lastnames. Thanks to Facebook and a 2010 information leak such lists are publicly available. Another idea was to generate fake personas using randomuser.me and check if they can match existing accounts.

This way I was able to guess around 40,000 valid e-mail addresses per day with a stupid unoptimized PoC.

Why would this pose a privacy threat?

The issue here is that a large part of these addresses are unknown to the public. People might want to get their privacy respected and not being spammed by bots, right?

Bruteforcing can be limited easily: captcha, rate-limiting, etc. You already get these protections on most of the Google services, take an example of Google over Tor, there are captchas everywhere!

How likely is an unlisted e-mail to be known/pwned?

I checked using the haveibeenpwned.com API for pwned addresses. The idea was to get the probability for a random and valid e-mail address to be in some kind of leaked database. Interestingly it is not that likely!

Only 8.41% of tested addresses were in such database. Also worth noting that all the e-mails I got aren’t necessarily active right now, my list may contain some old and unused addresses. Here are the breaches an e-mail is most likely to be in:

- River City Media Spam List (4,98%)

- SC Daily Phone Spam List (2,63%)

- LinkedIn (2,46%)

- Dropbox (1,52%)

- MySpace (1,37%)

- Adobe (1,33%)

- Modern Business Solutions (1,14%)

- Special K Data Feed Spam List (1,01%)

- Tumblr (0,73%)

- Last.fm (0,51%)

Impact

This bug could be exploited by malicious people: there are scenarios involving — in the best case scenario — guerrilla marketing campaigns (ie. receiving unsolicited e-mail) or worse, phishing and ransomware attacks, as usual.

Google response

02/03/2017 14:54:00 (UTC+1): contact Google with this issue

02/03/2017 17:13:00 (UTC+1): Google reply “your report was triaged and we’re currently looking into it.”

02/03/2017 17:27:00 (UTC+1): Google reply “ decided to route it internally to a team that deals with similar issues”

22/03/2017 00:56:00 (UTC+1): Google reply “We haven’t forgotten about your report; we’re still looking into it and will get back to you in a couple of days.”

31/03/2017 16:29:00 (UTC+1): Google decided not to classify this as a security bug ¯\_(ツ)_/¯