Official TEKConn Blog

Mathematician exposes Google encryption flaw

Google recently fixed an encryption flaw found in its email systems.

Google recently fixed an encryption flaw found in its email systems.

Earlier this week, Google reportedly fixed a serious weakness that was discovered in its email systems – one that could have opened millions of individuals and the companies they work for to cyber attacks.

According to a Wired article, Zachary Harris, a mathematician, received an email from a Google recruiter about a job. Harris didn't think he was the right fit for the position, and figured either it was a spoofed email sent from scammers or it was actually from Google and was a test.

The second scenario seemed plausible because Harris noticed a glaring encryption gaffe in the message and thought that it was perhaps a way to screen applicants based on whether or not they were able to detect the error. It wasn't a test.

The article goes on to explain that the DomainKeys Identified Mail key used to encrypt the email was woefully inefficient. Google was using a 512-bit key instead of the security standard 1,024-bit length. Harris told Wired that he saw this as a fun puzzle to figure out, and he cracked Google's encryption. Then he used it to send spoofed messages to Larry Page that appeared to be from Sergey Brin. They are the co-founders of Google.

Here is where the danger of weak encryption standards rears its ugly head. It can lead to spear-phishing attacks, where fake emails containing malware are sent to individuals and made to appear as if they are from a trusted source. These cyber threats can wreak havoc on a business' network and IT assets.

A Google representative told the news source that they saw the problem and immediately fixed it. Harris found the same security weakness in several other companies, including Yahoo, Microsoft, Amazon and PayPal. According to an IT World report, Microsoft and Yahoo have since fixed the flaw. No word was given on the other organizations.

The best IT support companies in the world will tell you that if the likes of Google can make missteps, anyone can. Regular monitoring of small business networks is essential to maintain IT security.