Guessing Valid GMail Addresses – Not A Bug (Must Be A Feature)

Abusing Gmail to get previously unlisted e-mail addresses

From the post:

tl;dr: I discovered a glitch that allowed me to guess, in large number, existing Google accounts addresses that could otherwise be unknown. DISCLAIMER: it’s just bruteforce that wasn’t properly rate-limited, nothing too fancy, so if you’re looking for some juicy 0day please pass along 😉
… (emphasis in original)

Cutting to the chase:


This way I was able to guess around 40,000 valid e-mail addresses per day with a stupid unoptimized PoC.
… (emphasis in original)

When advised of the issue, Google responded its not a security bug.

Comments are closed.