Pages Menu
TwitterRssFacebook
Categories Menu

Posted by on Oct 26, 2012 in Internet |

Mathematical detects security flaw in Google mail and supplanted by its founders

Mathematical detects security flaw in Google mail and supplanted by its founders

(C) Brynn Anderson / Wired

Zachary Harris is a mathematician than 35 years in Florida, United States, which some time ago received an unexpected from offering a job. “Obviously you have a passion for Linux and programming. We wanted to see if you are open to exploring new opportunities with Google, “read the email.

Harris was skeptical because I knew that as a mathematician was not the ideal candidate seeking Google by email. After wondering if I could be a case of phishing (spoofing), verified the information in the header of the email and found that everything appeared to be legitimate.

Then he noticed something strange. Google was using a domain key DKIM quite weak (512-bit long when recommending at least 1024 bits) to certify that their emails were from a legitimate corporate dominance of Google, which meant that anyone with enough skill could crackearla and send on behalf of the Mountain View company.

The mathematician thought Google could not be that little cautious, so concluded that it should be a special way to recruit and test whether they were able to detect this vulnerability, so Harris decided to break the DKIM key and send mail to each one of the founders of Google (Sergey Brin and Larry Page) impersonating another.

Harris tried to put your mail in the return address (returnpath) of the mail sent to Brin and Page, along with the web site address in the message content. After waiting two days, he noticed that the DKIM key of 2048 bits switched to Google and their website started receiving many visits from Google IP addresses. Harris found a real vulnerability in the Mountain View company.

After realizing, Harris found that the problem of a weak DKIM key (less than 1024 bits) was repeated both Yahoo!, Microsoft, Dell, Apple, eBay, Amazon, PayPal, Twitter, SBCGlobal, U.S. Bank, HP, HSBC and Match.com, who largely improved and currently its safety standards to prevent impersonation.

Link: How to Google Headhunter’s E-Mail Unraveled Massive Security Hole Net (Wired)

Tags: , , , , , , , , , ,