2 min read

Mathematician Impersonates Google Founder to Point Out DKIM Flaw

Bianca STANESCU

October 25, 2012

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Mathematician Impersonates Google Founder to Point Out DKIM Flaw

An American mathematician impersonated Google founder Sergey Brin to point out a vulnerability in the company`s DomainKeys Identified Mail, a cryptographic key that domains use to sign e-mails and validate them to recipients, according to media reports.

The discovery came up after 35-year old Zach Harris received a strange e-mail from a Google headhunter who offered him a job as a site-reliability engineer.

“You obviously have a passion for Linux and programming,” the alleged Google recruiter said. “I wanted to see if you are open to confidentially exploring opportunities with Google?”

Because he didn`t think he was the ideal Google candidate, Harris was intrigued, and discovered the search giant was only using a 512-bit key, half what the DKIM standard calls for. The flaw allowed anyone to easily crack the domain by cloud-computing, and impersonate an e-mail sender from Google, including the company`s founders Sergey Brin and Larry Page.

Thinking this could be a recruiting test from Google, Harris thought of playing along and sent an e-mail to Page that looked as if it were coming from Brin.

“I love factoring numbers,” Harris said, as quoted by Forbes. “So I thought this was fun. I really wanted to solve their puzzle and prove I could do it.”

In the e-mail, he promoted his personal website as an interesting “idea still being developed in its infancy.” “I think we should look into whether Google could get involved with this guy in some way. What do you think?” the e-mail signed by “Sergey” read.

The mathematician didn`t get an answer from Google, but soon discovered the company`s cryptographic key had suddenly changed to 2,048 bits.

“I assumed the e-mail got to some influential tech person who looked at it and said, ËœWait a second, how is this obviously spoofed e-mail getting through?` And they apparently figured it out on their own,” Harris said.

He also found DKIM vulnerabilities in websites used by PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, Match.com and HSBC.

tags


Author


Bianca STANESCU

Bianca Stanescu, the fiercest warrior princess in the Bitdefender news palace, is a down-to-earth journalist, who's always on to a cybertrendy story.

View all posts

You might also like

Bookmarks


loader