2 min read

Mathematician Impersonates Google Founder to Point Out DKIM Flaw

Bianca STANESCU

October 25, 2012

Mathematician Impersonates Google Founder to Point Out DKIM Flaw

An American mathematician impersonated Google founder Sergey Brin to point out a vulnerability in the company`s DomainKeys Identified Mail, a cryptographic key that domains use to sign e-mails and validate them to recipients, according to media reports.

The discovery came up after 35-year old Zach Harris received a strange e-mail from a Google headhunter who offered him a job as a site-reliability engineer.

“You obviously have a passion for Linux and programming,” the alleged Google recruiter said. “I wanted to see if you are open to confidentially exploring opportunities with Google?”

Because he didn`t think he was the ideal Google candidate, Harris was intrigued, and discovered the search giant was only using a 512-bit key, half what the DKIM standard calls for. The flaw allowed anyone to easily crack the domain by cloud-computing, and impersonate an e-mail sender from Google, including the company`s founders Sergey Brin and Larry Page.

Thinking this could be a recruiting test from Google, Harris thought of playing along and sent an e-mail to Page that looked as if it were coming from Brin.

“I love factoring numbers,” Harris said, as quoted by Forbes. “So I thought this was fun. I really wanted to solve their puzzle and prove I could do it.”

In the e-mail, he promoted his personal website as an interesting “idea still being developed in its infancy.” “I think we should look into whether Google could get involved with this guy in some way. What do you think?” the e-mail signed by “Sergey” read.

The mathematician didn`t get an answer from Google, but soon discovered the company`s cryptographic key had suddenly changed to 2,048 bits.

“I assumed the e-mail got to some influential tech person who looked at it and said, ËœWait a second, how is this obviously spoofed e-mail getting through?` And they apparently figured it out on their own,” Harris said.

He also found DKIM vulnerabilities in websites used by PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, Match.com and HSBC.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Supply Chain Attack Detected in PyPI Library Supply Chain Attack Detected in PyPI Library
Silviu STAHIE

August 02, 2021

1 min read
Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel
Filip TRUȚĂ

August 02, 2021

3 min read
Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million
Graham CLULEY

July 30, 2021

2 min read