Tuesday, June 10, 2014

One Token to Rule Them All - The Tale of the Leaked Gmail Addresses

Since I don't really know where to start, let's start at the end. At the very end of this attack, I am going to hold what appears to be every single email address hosted on Google. So what? I mean why is that such a big deal? To answer this question, you might want to read the following article I just posted on the Trustwave SpiderLabs Anterior Blog: From a username to full account takeover.

As indicated in my previous post, GMAIL is the Global Main Authentication and Identification Library. It is used everywhere from sites like Facebook and Twitter to online-banking. Owning your Gmail account is a hacker's dream – because it means all other accounts are now in reach.

Think about how much money a spammer or a country (China?) are ready to pay for a list of all Google Accounts related emails? At the end of this post you will also find out how much money Google thinks that such a list is worth.

Short Version

I really think that you'll enjoy this blog, however, for those of you who can't take 5 minutes to read it, here is a one-liner:
I bruteforced a token in a Gmail URL to extract all of the email addresses hosted on Google.

Gmail Delegation Feature

Did you know that you can use the Gmail delegation feature to grant other people access to your Gmail account? Well until (very) recently, neither did I. You can go to account settings, and select “Add another account”:

Gmail Settings - Gmail Delegation Feature
After you do that, an email message will be sent to the account you just entered. It looks like this:

Gmail Delegation - Accept or Deny? Can you spot the differences?
As you can see there is an accept link and a reject (deny) link. We can play “spot the differences” – but I am not sharing my bounty with the finder. Clicking on the reject link gets you this message (the language differs based on the settings of the delegation email Google account):

The "delegation deny" link for "hastudent@gmail.com"
Google is telling us for which email address we denied access. In this case it is hastudent@gmail.com. Given that:
  1. The email address that requested access (hastudent@gmail.com) is not in the URL.
  2. The request also works as an unauthenticated request (no cookies).
  3. Google is extremely distributed.

It would be safe to assume that something in the URL helps Google determine the delegation email address and present it to us.

Deep URL inspection with Homer Simpson

Let’s take a closer look at the request URL, with our friend Homer Simpson:
  1. The first part “https://mail.google.com/mail/", is just the normal mapping to the Gmail application.
    [Homer says: "Sigh!"]
  2. The second “/mdd” is the mapping for the mail delegation deny servlet.
    [Homer says: "Sigh!"]
  3. What does “f560c0c4e1” stand for? It looks like a token. There is some hope here, as this one is so short and it’s hexadecimal
    [Homer says: "WooHoo!"].
  4. My email address – probably not relevant.
    [Homer plays Spider-Pig again].
  5. What does “bbD8J0t6P6JNOUO36vY6S_pZJy4” stand for? It looks like an encoded blob. This is normally a BAD sign as Google loves to HMAC request URLs and that could be a giant “pain in the scans”.
    [Programmer Homer says: while(true)("Sigh!"+"D'oh");].

So this leaves only (3) and (5). First thing first, I tampered the blob from (5). WooHoo! It is not validated and the email is still being exposed! Note that in the “delegation accept” URL it was actually validated.

Well, if I counted correctly we are left with the token from (3). From now on we will call it “the token”, “token” or “my precious”. My precious token, I won’t let any sneaky little hobbitses take it from us!

One Token to Rule Them All – The Fellowship of the Token

So I start a bruteforce – and what do you know… I get email addresses, lots of lots of email addresses. So many email addresses that every single tool I use for the bruteforce collapses. So I write my own multithreaded script in ruby – which is not as fast as I want.  

I took a break to look at the (temporary) results of ~1000 emails. And I see a lot of none “@gmail.com” addresses. So I check the domain names of these emails and then it hits me – these are domains of organizations that are using “Google Apps for Business” and this also includes the internal @Google.com addresses of Google employees.

Should your company move to the cloud? A really hard question!
That is actually a pretty hot topic right now. Should we move to the cloud? Should we use Gmail as our organizational email manager? As the argument about the future of enterprise email goes on with a focus on security - leakage of organizational emails might assist attackers in their spear-phishing attacks and eventually expose the company to advance persistent threats.

Question to Google: business emails can be considered more sensitive than “@gmail.com” addresses. So why don’t you separate the environments that deals with such addresses. I mean, why not sandbox the entire organization using the “/a/ " mapping, that is already there. I see no reason to put all emails in the same database (at least not for delegation).

My precious token can get them all, even if you never gave your email address to any single living creature (especially hobbits). Private emails or business email addresses with your organization’s domain, all are mine. If you consider some of your employees and executives email addresses confidential, that’s a problem.

One Token to Rule Them All  – The Two Towers

So, where were we? Our current goal is to bruteforce all tokens. We still haven't found a tool that is fast enough to get us through. A tool that will enable us to leak all email addresses. 

Well, salvation finally came from our "direst" friend, the mighty wizard of OWASP, also known as the DirBuster. Not a lot of people know that DirBuster is also a great URL Fuzzer. With the ability to support a large number of threads alongside using HEAD requests to improve performance, DirBuster is our current hope.

But, in order to get DirBuster to work, we need to provide a dictionary. In this case, it would hold all 10-character long combinations of such an HEX-string. Generation of such a dictionary is fairly simple (here is a ruby example, and yes I know it could be done in one line):

Ruby dictionary generation. Simple, isn't it?
Now let's put it all into DirBuster:

  1. Dictionary name is gmail_0000.txt
  2. Select starting options would be "URL Fuzz"
  3. The URL to fuzz is /mail/mdd-{dir}-support@google.com-O6xUbWXP7hm8GaZGUetuk5f9vlU

DirBuster accepts the challenge

DirBuster will now replace the string "{dir}" with all of the tokens from our dictionary. Each 200/OK response is one small victory towards our glorious battle.

Bypass Google's Anti-Bot Protections

If you ever tried to scan Google then you probably encountered this message, also known as the "Google Sorry" product:

First things first, apology accepted. Google will start throwing this at you after ~30K requests, and sometimes even sooner. It really depends on the URL, cookies, your IP address and a bunch of other stuff. 

Have you noticed something weird in the URL pasted into DirBuster? That's right, I've put "support@google.com" there, instead of my own email address. This is a honeypot which confuses Google to block requests with that string in the URL instead of blocking our entire attack campaign. So, now you can try for yourself, go ahead and confirm that the following link would get Google to apologize to you:

And now, try replacing that string with something else… You see? I told you so. This is useful information whenever you choose to launch automated attacks on Google (which you shouldn't without getting permission from the Google security team). So after they'll block us – we would just change this to "bla@google.com" for example, and keep on going.

One Token to Rule Them All – The Return of the King

We have the tokens, all we've got to do in order to translate tokens into email addresses is to access these links. A simple wget/curl loop would do. I chose to use Burp's intruder for that:

That's a lot of email addresses. Censored for the sake of humanity.
After the hard work invested in this attack, I think it is pretty obvious that I would get the honor of declaring the King's return - the one that saved the day once again – the Google Security Bot:

Thank you Google Security Bot!
The Google Security Bot and his knights (the Google security team) fixed the vulnerability and rewarded me with a 500$ bounty.  

Summary and building exploit:

To sum it all up - here is the process simplified to a step-by-step list: 
  1. Get the delegation deny URL.
  2. Create a dictionary with all 10-HEX-Character-Long-Token combinations. Ruby is awesome for that.
  3. DirBuster in URL Fuzz mode to obtain all valid tokens.
  4. Bypass Google Anti-Bot protection.
  5. Convert tokens to email addresses (for example, with Burp's intruder).
  6. Send Google a file with some of the extracted email addresses.
  7. Get a bounty.
What else can be done with this information? 
Read "From username to full account takeover".

The exploit video


  1. I can't believe Google are such cheap asses! An individual stolen address worth 0.000025$ (http://www.securitymanagement.com/news/00000025-going-rate-black-market-your-email-address-008950), Google have 500 Million accounts, They should have paid you AT LEAST 12,500$ without calculating the colatural macro level damage that would have been caused by leaking their entire emails DB and the damage to Google's reputation.

    1. Hi Gil,
      I agree about the bounty being low, however this is out of my control. You would be surprised to know that at first Google found this bug to not qualify for reward at all. It was only after a second review was made, that the panel awarded me with a 500$ bounty.

    2. I too agree the reward is too low for such a finding!

  2. Well done my friend.
    Shame on you - Google!

  3. totally agree with gilcohen. This reward is hilarious for such a sweet bug

    1. This comment has been removed by the author.

    2. Thanks for the compliments :)
      Hope the reward panel hear your voice. However, their decisions are fairly complex. For example, giving a higher bounty here might force them to explain why they won't pay for username enumeration in their sign up page... And trust me they have probably heard that a gazillion times. They probably understand that this case is different, however explaining this over and over again might be overwhelming. Always look at the wider picture. I mean, I am speculating, but who knows?

  4. That reward amount is missing a zero or two. Good work!

  5. How come you are not working there yet?
    but then again, if that's what they paying for bounty!?

    1. Lolz. Google is still a great company to work at :)

  6. I think the email addresses are the one that has requested the delegation feature.
    Anyway good job!

    1. Yes, you have to do it just once to get the link... then you can go wild and get all addresses.

  7. Very impressive!! great job!! ... so $500?? perhaps they are sending the missing two zeros to your gmail account

    1. probably 4 more zeros: 0000 = null byte

  8. You only got 500$ for that? Are you sure, that’s not 500k$? I think if I were Google, I’d have given you at least that much as thank you for not selling all those email addresses for 5M$!

    1. Thanks. 500$ would do. My parents are using Gmail, and it's enough for me to know that their account is now safer.

  9. Evidently the concensus is that Google seriously cheaped out on you as do I. I can only imagine how much money a person of lesser values would of made with a list like this. Very good job.

  10. Where's the g+ like button for this?

  11. Just above the comments...Just 500 usd for this BUG... its a Joke?

  12. Well done bro!
    I agree that bounty should not be this much low ($500)
    After all it's all about talent and not money. Keep it up your good work bro!
    Cheers for your knowledge.

  13. So you've just bruteforced the tokens?

  14. Unbelievable jos. Bro.

    do you have my email adress with the end 88.ag

  15. It is truely a shameless cent, what google give you. I am a poor start up. I have decided to pay at least 10 times more for the software that I have bought for my project.

  16. nice finding bro ...congrates (Y)
    and shame on you google !!!! this time google sucks regarding the bounty programs....
    We researchers done lots of hard work to find out a single BUG in their websites and improve their security services... but i don't think so they are thinking much about this thing.... :(

    But nevertheless congrates (Y)


  18. May I ask how did you contact them?
    I'd say the "contact them" step deserves a post of its own. How can you actually reach a live human being in there who doesn't throw back answers from a FAQ?

  19. With Gain Credit Personal Loans, you can get instant loan/money for a wide range of your personal needs like renovation of your home, marriage in the family, a family holiday, your child's education, buying a house, medical expenses or any other emergencies. With minimum documentation, you can now avail a personal loan at attractive 3% interest rates. This is trust and honest loans which you will not regret, Contact us via Email: gaincreditloan01@gmail.com

    Your Full Details:
    Full Name. . .. . .. . .. . .. . .
    Loan Amount Needed. . ...
    Loan Duration. . .. . .. . .. . .
    Phone Number. . .. . .. . ..
    Applied before. . .. . .. . ..
    Country. . .. . .
    Email Us: gaincreditloan01@gmail.com

  20. Get a Loan Today At 3% Interest Rate, contact us at:davidloans760@gmail.com

    Welcome to DAVID JAMES Loan Company, This is a legit loan Company, formed to help individuals who are in need of financial crises and help them achieve their goals in life.

    Available Loans we offer are,

    1. Personal Loans (Secure and Unsecured)
    2. Business Loans (Secure and Unsecured)
    3. Combination Loan
    4. Consolidation Loan And Many More:

    Interested clients should please send request to our email for application form and terms. Try and see for your self, our wonderful services that does not exceed Working days for loan processing and just only (1)hour 35 minutes of loan Transfer.

    EMAIL---[ davidloans760@gmail.com ]

    Warm Regard

  21. Have you been looking for finance options for your new home purchase, construction, refinance, medical cash, family cash, personal or business purpose. Welcome to the future! Finance made easy with us. Contact us as we offer our finance service at a low and affordable of 3% interest rate for long and short cash term,reply to this Email; commercialeasservice222@mail-me.com for more details.

  22. Have you been looking for finance options for your new home purchase, construction, refinance, medical cash, family cash, personal or business purpose. Welcome to the future! Finance made easy with us. Contact us as we offer our finance service at a low and affordable of 3% interest rate for long and short cash term,reply to this Email; commercialeasservice222@mail-me.com for more details.


  23. Are you a business man or woman? Are you in a financial mess or do You need funds to start your own business? . We give out legitimate loans to serious individuals or business firms that are in need of loans. We are a registered Loan Firm that is prepared to meet the needs of individuals who aspire to be greater in the front line of capital accumulation.Our Loans are offered at a subsidized interest rate that is favorable to all citizens all over the world and different countries.We are ready to talk with you about how we can meet your financial needs.if interested in this great offer then, Contact us today for an urgent loan. Email:


    1.Copy of ID
    2.3 Months Banks Statement
    3.Prove of Residence
    4.Banking details to receive the loan.

    Once this requirement is remitted the loan amount will be transferred to your banking details that you send to us, blacklisted is welcome, have you been turned down by so many companies, Do you have business idea but no finance, Do you have bad credit record, apply for home of solutions to your problem. await your urgent response to this AD.or email us at: ( ptlender01@gmail.com)

    Personal Loans
    Pay Day Loans
    Vehicle Finance
    Home Loans
    Debt Counseling
    Business Loan
    Student Loan
    Consolidation Loan
    Medical Loan
    Life Insurance/Property also available.

    Email :ptlender01@gmail.com

  24. This comment has been removed by the author.


  25. My name is Glenn Baker and i live in USA Florida and i am a happy man today, I told my self that any Loan lender that could change my Life and that of my family, i will refer any person that is looking for loan to Them. If you are in need of loan and you are 100% sure to pay back the loan please contact them and please tell them that Glenn Baker referred you to them. scottlarry918@gmail.com

    Glenn Baker

  26. Do you need a loan .We are Legitimate and guarantee loan lender. We are a company with financial assistance. We loan funds out to individuals in need of financial assistance, that have a bad credit or in need of money to pay bills, to invest on business. I want to use this medium to inform you that we render reliable beneficiary assistance as We'll be glad to offer you a loan Contact us via Email: hmloans2@gmail.com

    Services Rendered include

    *Debt Consolidation
    *Business Loans
    *Personal Loans.
    *Car Loans
    *Rent and House Loans

    Write back if interested with our interest rate of 4% annual. Contact us via Email: hmloans2@gmail.com

    Please Note: All interested individual must send a message to our email for urgent response and details to obtain a Loan.

    Best Regards.
    Email: hmloans2@gmail.com

  27. We have direct and efficient providers of Bank Guarantee (BG’s), Insurance Guarantees,Confirmable Bank Drafts, Standby Letters of Credit (SBLC) medium term note (MTN) and Third Party Guarantees. which are specifically for sell/lease at leasing price of 4+2% /32+2% for selling price.
    If you are a potential Investor or principal looking to raise capital, we will be happy to answer any questions that you have about this opportunity and to provide you with details regarding these services.

    Our BG/SBLC Financing can help you get your project funded, by providing you with yearly renewable leased bank instruments. We work directly with the providers of these instruments.


    1. Instrument: Bank Guarantee (BG/SBLC) (Appendix A)
    2. Total Face Value: Eur 5M MIN and Eur 10B MAX (Ten Billion USD).
    3. Issuing Bank: Barcley's Bank , HSBC Bank London, Credit Suisse and Deutsche Bank Frankfurt.
    4. Age: One Year, One Month
    5. Leasing Price: 4% of Face Value plus 2% commission fees to brokers.
    6. Delivery: Bank to Bank swift.
    7. Payment: MT-103 or MT760
    8. Hard Copy: Bonded Courier within 7 banking day.


    WE will arrange for a fresh cut BG/SBLC EURO/USD $10million to 100billion in favor of your company with Euro clear access code and block code as well as the ISIN and CUSIP numbers and Common Code of the SBLC from Barclay's Bank to enable you verify it at a lease cost of 4+2% After which you will transfer Euro cost fee to validate the instrument before it is delivered by swift MT199/MT799 pre-advice and finally via MT760 and the beneficiary is expected to pay 4% lease cost via MT103 to providers funding bank after verifying and authenticating the swift MT760 from issuing bank Barclay's, hsbc, and deucthe bank etc.
    Contact us for outstanding service, competence & professionalism;

    For all inquires Contact:

    Name: Abistar Diana
    Skype:Abistar Diana,dianafinance600@outlook.com

  28. How I Got My Loan From A Genuine And Reliable Loan Company

    My name is Mrs RODNEY BRITTANY NICOLE. I live in United State Of America working here I am from Philippines and i am a happy woman today? and i told my self that any lender that rescue my Company and my Family situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of $300,000,00 and was scammed by those fraudulent lenders and a friend introduce me to MR IBRAHIM MUSA,and he lend me the loan without any stress,you can contact him at (powerfinance7@gmail.com)

    Your full name:
    Loan Amount:
    Monthly income:

    Awaiting your swift response.
    May Allah bless you.
    power Financial Service Pvt.
    Contact Him At :powerfinance7@gmail.com
    WhatsApp Number +919717357946


    If you are in need of some financial support and you can pay back the loan at a given period.? *Need 100% financing contact Email : (bdsfn.com@gmail.com )

    *Debt Consolidation Loans *Business Loans *Personal Loans *Home Loans *Car Finance *Commercial Loans *Investments Loans *Debts Consolidation *Business Planning *Commercial Development Finance *Properties Mortgages *Bad credit loans *commercial loans *Start-up- working capital loans *Construction loans *Car loans, *Hotel loans*Student loans.

    We awaits your urgent application form to be filled ok. Email Us: (bdsfn.com@gmail.com)

    For more details :Email : bdsfn.com@gmail.com
    Name :
    Country :
    Phone number :
    Amount Needed as Loan :
    Purpose of Loan :
    Have you applied for loan online before (yes or no)
    Email : bdsfn.com@gmail.com
    Emaill: anatiliatextileltd@gmail.com
    Best Regards.
    Mrs.Emilia FedorcakovaUPDATE ON LOAN REQUIREMENT

    If you are in need of some financial support and you can pay back the loan at a given period.? *Need 100% financing contact Email : (bdsfn.com@gmail.com )

    *Debt Consolidation Loans *Business Loans *Personal Loans *Home Loans *Car Finance *Commercial Loans *Investments Loans *Debts Consolidation *Business Planning *Commercial Development Finance *Properties Mortgages *Bad credit loans *commercial loans *Start-up- working capital loans *Construction loans *Car loans, *Hotel loans*Student loans.

    We awaits your urgent application form to be filled ok. Email Us: (bdsfn.com@gmail.com)

    For more details :Email : bdsfn.com@gmail.com
    Name :
    Country :
    Phone number :
    Amount Needed as Loan :
    Purpose of Loan :
    Have you applied for loan online before (yes or no)
    Email : bdsfn.com@gmail.com
    Emaill: anatiliatextileltd@gmail.com
    Best Regards.
    Mrs.Emilia Fedorcakova

  30. Do you need a financial help? Are you in any financial crisis or do you need funds to start up your own business? Do you need funds to settle your debt or pay off your bills or start a good business? Do you have a low credit score and you are finding it hard to obtain capital services from local banks and other financial institutes? Here is your chance to obtain a financial services from our company. We offer the following finance to individuals-
    *Commercial finance
    *Personal finance
    *Business finance
    *Construction finance
    *Business finance And many More:
    and many more at 2% interest rate;
    Contact Us Via Email:bullsindia187@gmail.com

    Company number 08432412
    Furley Page Llp, 39 St Margaret's Street, Canterbury, Kent, CT1 2TX.

    We have genuine financial instrument to help you support and make your dream project come to reality.With our cutting edge and group capital fund we can finance your signatory projects and help you to enhance your business plans,this offer is open to both individuals and corporate bodies.

    (1) Instrument: Bank Guarantee {BG} /StandBy Letter of Credit.{SBLC} (Appendix A).
    (2) Total Face Value: Eur/USD 1M{Minimum} to Eur/USD 100MNJH{Maximum}.
    (3) Issuing Bank: AAA Rated Bank (Prime Bank).
    (4) Age: One Year and One Day.
    (5) Leasing Price: 4% of Face Value plus 2% commission.
    (6) Delivery: bank to bank SWIFT MT-799 and/or MT-760.
    (7) Payment: MT103 (TT/WT).
    (8) Hard Copy: Bonded Courier Service.

    Intermediaries/Consultants/Brokers are welcome to bring their clients and are 100% protected. In complete confidence, we will work together for the benefits of all parties involved,If in need of our services, contact me for detail information.

    For all inquires Contact:

    Name : HALL THOMAS
    Email : cmrdahorseactltd@gmail.com

  32. INSTANT LOAN FINANCIAL SERVICE have been accredited by the Better Business Bureau after meeting all their strict requirements.
    If you're looking for an unsecured loan from non-bank sources, look no further and contact INSTANT LOAN FINANCIAL SERVICE today for just 2%
    interest rate because it's great place to start your search. Borrowing money online is a fast and convenient option, but always keep safe by choosing a
    reputable lender to work with. On some occasions, people find themselves in life scenarios where they need to borrow money for different reasons. It may be to make a large purchase, buy new home furniture's, finance a long awaited vacation or even to consolidate other debt, including high-rate interest card debt.they wouldn't even mind about the interest rate,but Getting a secured bank loan to do this can be difficult at times and it's not always accessible to regular, everyday clients.

    Applications by Phone, Auto & Mobile Home Leasing, Auto Title Loans, Cash Loans, Confidential Loans, Loans!, Same Day Approval, Signature & Auto Title, State Licensed, Title Loans,Debt Consolidation Loan,
    Further more ILFS is governed under the C.E.O leadership of Mr Thompson Campbell
    Contact us today on and put a stop to your financial misery in just 24 hours
    contact us now on
    You can also text or call us on +1-(619) 784-7625 for further Inquiries
    Best Regards
    Thompson Campbell


  33. Hello,
    Are you desperately in need of an urgent loan
    to solve all your financial issues,
    Have you been scammed by different fraudulent lender's
    and you're still looking for a genuine and reliable trusted
    lender to help you get that loan you have been applying for
    look no further because your help comes now as
    INSTANT LOAN FINANCIAL SERVICE is out here to solve all your
    financial crises and make you financially stabled again with
    just 2% affordable interest rate
    Email: instantloanfinancialservice5@gmail.com
    you can also text us on +1-(619) 784-7625 for further Inquiries
    Thanks and stay Blessed
    Thompson Campbell


  34. Good Day
    Are you in any kind of financial difficulty?
    are you having
    sleepless nights and worried on how to get a loan to relief
    you of all your financial stress?
    Your help comes now.
    Contact: INSTANT LOAN FINANCIAL SERVICE for easy and
    reliable loans at 2% unbeatable interest rate.
    Tel: +1-(619) 784-7625
    Borrowers Information
    Full Name:
    Loan Amount:
    Loan Duration:
    telephone number:

    Thompson Campbell
    Best Regards


  35. Hello good day dear valuable esteemed loan applicant's around the
    world,i'm here to announce to you that INSTANT LOAN
    FINANCIAL SERVICE have come with a genuine plan and vision to

    help solve all your financial hassles most especially those who are
    looking for an affordable Xmas loan or loan for any purposes you
    can contact us today via e-mail and phone contact below
    You can also text or call us on +1-(619) 784-7625 for further
    Inquiries and put an end to all your financial struggles to have a

    pleasurable Xmas celebration or a good business performance
    Best Regards
    Thompson Campbell
    Loan Consultant