An American mathematician impersonated Google founder Sergey Brin to point out a vulnerability in the companyâ€™s DomainKeys Identified Mail, a cryptographic key that domains use to sign e-mails and validate them to recipients, according to media reports.
â€œYou obviously have a passion for Linux and programming,â€ the alleged Google recruiter said. â€œI wanted to see if you are open to confidentially exploring opportunities with Google?â€
Because he didnâ€™t think he was the ideal Google candidate, Harris was intrigued, and discovered the search giant was only using a 512-bit key, half Â what the DKIM standard calls for. The flaw allowed anyone to easily crack the domain by cloud-computing, and impersonate an e-mail sender from Google, including the companyâ€™s founders Sergey Brin and Larry Page.
Thinking this could be a recruiting test from Google, Harris thought of playing along and sent an e-mail to Page that looked as if it were coming from Brin.
â€œI love factoring numbers,â€ Harris said, as quoted by Forbes. â€œSo I thought this was fun. I really wanted to solve their puzzle and prove I could do it.â€
In the e-mail, he promoted his personal website as an interesting â€œidea still being developed in its infancy.â€ â€œI think we should look into whether Google could get involved with this guy in some way. What do you think?â€ the e-mail signed by â€œSergeyâ€ read.
The mathematician didnâ€™t get an answer from Google, but soon discovered the companyâ€™s cryptographic key had suddenly changed to 2,048 bits.
â€œI assumed the e-mail got to some influential tech person who looked at it and said, â€˜Wait a second, how is this obviously spoofed e-mail getting through?â€™ And they apparently figured it out on their own,â€ Harris said.
He also found DKIM vulnerabilities in websites used by PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, Match.com and HSBC.