Mathematician Impersonates Google Founder to Point Out DKIM Flaw
An American mathematician impersonated Google founder Sergey Brin to point out a vulnerability in the company’s DomainKeys Identified Mail, a cryptographic key that domains use to sign e-mails and validate them to recipients, according to media reports.
“You obviously have a passion for Linux and programming,” the alleged Google recruiter said. “I wanted to see if you are open to confidentially exploring opportunities with Google?”
Because he didn’t think he was the ideal Google candidate, Harris was intrigued, and discovered the search giant was only using a 512-bit key, half what the DKIM standard calls for. The flaw allowed anyone to easily crack the domain by cloud-computing, and impersonate an e-mail sender from Google, including the company’s founders Sergey Brin and Larry Page.
Thinking this could be a recruiting test from Google, Harris thought of playing along and sent an e-mail to Page that looked as if it were coming from Brin.
“I love factoring numbers,” Harris said, as quoted by Forbes. “So I thought this was fun. I really wanted to solve their puzzle and prove I could do it.”
In the e-mail, he promoted his personal website as an interesting “idea still being developed in its infancy.” “I think we should look into whether Google could get involved with this guy in some way. What do you think?” the e-mail signed by “Sergey” read.
The mathematician didn’t get an answer from Google, but soon discovered the company’s cryptographic key had suddenly changed to 2,048 bits.
“I assumed the e-mail got to some influential tech person who looked at it and said, ‘Wait a second, how is this obviously spoofed e-mail getting through?’ And they apparently figured it out on their own,” Harris said.
He also found DKIM vulnerabilities in websites used by PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, Match.com and HSBC.