Planet Google

Google Headhunter’s Recruitment Email Reveals Huge Email Security Flaw

A number of major websites are protected with crackable cryptographic keys.
zharrismath1 Google Headhunters Recruitment Email Reveals Huge Email Security Flaw

Zachary Harris (LinkedIn)

When mathematician Zachary Harris received an email from a Google headhunter asking if he was “open to confidentially exploring opportunities” with the search giant, Mr. Harris was skeptical. He checked the email’s headers–the thicket of traffic data hidden in every message we receive–and saw that though the message was authentic, Google had a problem.

The cryptographic key that validated the email and verified it as having come from someone at Google was surprisingly weak. Weak enough that Mr. Harris realized that given a little time he could spoof the key and then send an email to Google founders Larry Page and Sergey Brin. Thinking this was surely some kind of test, Mr. Harris cracked the 512-bit key (current standards indicate they should be twice that length) and sent an email to Mr. Brin and Mr. Page–but made it look as if it came from one man to the other.

He never received a response. However, as Wired reports, Google clearly noticed:

Harris made sure the return path for the e-mails went to his own e-mail account, so that Brin and Page could ask him how he’d cracked their puzzle. But Harris never got a response from the Google founders. Instead, two days later, he noticed that Google’s cryptographic key had suddenly changed to 2,048 bits. And he got a lot of sudden hits to his web site from Google IP addresses.

Oops, Harris thought, it was a real vulnerability he’d found.

Mr. Harris examined other sites and found that a laundry list of some of the most popular domains had the same weakness. They included PayPal, Yahoo, Amazon, eBay, Apple and Dell, just to name a few. As Wired noted, “Send an e-mail as jeff.bezos@accounts.amazon.com? No problem. Spoof marissa.meyer@yahoo-inc.com? Piece of cake.”

Mr. Harris noted that many banks as well as PayPal did have stronger 768-bit cryptographic keys, however even those larger codes were potentially vulnerable to cracking with large enough resources. He told Wired a large group with considerable resources or an unfriendly nation-state like “the government of Iran” could probably crack 768-bit keys.

Considering that the U.S. believes Iran is already attacking American financial institutions, Mr. Harris’s discoveries may be an unwelcome wake-up call to financial security professionals nationwide.

Follow Steve Huff via RSS. shuff@observer.com